Concept
Authentication Keys (or Key Set) in ApiShare provide secure access management to APIs for users and applications. This feature enables the creation, assignment, rotation, and revocation of access keys in compliance with security policies and operational requirements.
Key functionalities include:
Automatic Key Assignment: Keys are provisioned upon API subscription.
Key Reuse: Existing keys can be reused for new subscriptions if policy conditions match.
Manual and Automatic Key Rotation: Keys can be manually regenerated or automatically rotated based on policy settings.
State Management: Keys can be active, suspended, revoked, or expired.
Policy-Based Governance: Administrators define key expiration, rotation frequency, and usage rules via policy templates.
Why Key Governance Matters
Effective governance of authentication keys is critical for API security, ensuring controlled access while minimizing risks of unauthorized use. By implementing structured key management policies, organizations can enhance security, maintain compliance, and optimize access control for API consumers.
Key Set State Transition Diagram
To better understand the lifecycle of a Key Set, refer to the state transition diagram below. This diagram illustrates the different states a Key Set can go through and the actions that trigger transitions between these states:
Pending → Active (Action: Activate): A new Key Set is created and becomes active.
Active → Suspended (Action: Suspend): The Key Set is temporarily disabled.
Suspended → Active (Action: Activate): A suspended Key Set is reactivated.
Active → Revoked (Action: Revoke): The Key Set is permanently disabled.
Suspended → Revoked (Action: Revoke): A suspended Key Set can also be revoked.
Active → Expired (Action: Expire Automatically): If the Key Set reaches its expiration date, it moves to an expired state.
Suspended → Expired (Action: Expire Automatically): A suspended Key Set can also expire automatically.
This structured transition ensures that Key Sets follow a controlled and secure lifecycle, preventing unauthorized API access while maintaining flexibility for API consumers.
Supported Keys type
The type of keys supported within a Key Set depends on the third-party systems being integrated and the practices adopted by the user to protect their APIs. Commonly used key types align with OAuth2 standards, such as clientId and clientSecret, or simpler models like apiKey or combinations such as appId and appKey.
ApiShare allows flexible configuration of authentication types, enabling organizations to align key management with their internal security standards. However, it is strongly recommended to verify which key types are supported by the API Gateway in use, as key sets are tightly coupled with the authentication mechanisms configured at the gateway level.