Skip to main content

API Access

This feature allows users to generate and manage API tokens for accessing the platform programmatically.

Regenerating API Tokens

Users can view and regenerate API tokens to authenticate their requests to the platform's API.

Important behavior and guidance:

  • For security, the API key is stored hashed. The cleartext value is only shown immediately after generation/regeneration and cannot be retrieved later.
  • You must copy or securely store the new key at the moment it is generated/regenerated. Subsequent visits will show a masked/hashed value only.
  • Regenerating a key immediately invalidates the previous key.

Here is what the token regeneration page looks like in an app:

Storybook

Security Considerations

When generating and managing API tokens, follow best practices to protect your account and data:

  • Copy and securely store the key immediately after generation/regeneration. It won’t be shown again in cleartext.
  • Never commit keys to source control. Use environment variables or your secrets manager.
  • Rotate keys regularly and revoke keys that are no longer needed.
  • Use the least privilege principle by generating tokens with the minimum required permissions.
  • Monitor usage and alerts on suspicious access where supported.

Key lifecycle and UX intent

The API Access feature is designed to minimise risk by reducing exposure of long-lived secrets:

  • Generation: A new key is created and displayed once in cleartext so the user can copy it.
  • Storage: Only a hashed value is persisted; cleartext is not retrievable.
  • Regeneration: The previous key is invalidated and a new key is shown once in cleartext.
  • Copy action: The UI exposes a copy button only immediately after a generate/regenerate event to reinforce “copy-once” behavior.

This design aligns with common secret-management guidance and helps prevent accidental leakage of credentials in screenshots or shared screens.

Developer notes

  • The UI is provided by the APIAccess component from @krakentech/blueprint-dashboard/client.
  • Translations must provide the following keys: copy-button-aria-label, no-key-text, generate-key-text, regenerate-button-text, text-field-label.
  • Test mocks are available via @krakentech/blueprint-dashboard/msw-handlers with constants for scenario selection (e.g., API_ACCESS_TEST_SCENARIOS).