Hi!

 

> * We'll deprecate and remove the ability to use the URL form in about a

> year (around October 2024).

> * We plan to send further reminders about this change over time, as well

> as reaching out to heavy users of the to-be-removed format.

 

It’s October 2024. Is this plan still valid? I admit that I have a bunch of tools which use URL form which I would have to update to use "Authorization" header.

 

Regards,

Grzegorz

 

From: Robert Kisteleki <robert@ripe.net>
Organisation: RIPE NCC
Date: Tuesday, 19 September 2023 at 12:11
To: "ripe-atlas@ripe.net" <ripe-atlas@ripe.net>
Subject: [atlas] Changes to RIPE Atlas API keys

 

 

Dear RIPE Atlas users,

 

We'd like to update you on some upcoming changes regarding API keys in

RIPE Atlas.

 

TL;DR nothing changes regarding how you can use your API keys in the

short term - as long as you're actually using them. However, we'll

change how unused or forgotten keys are handled as well as remove the

less secure in-URL use of them.

 

 

At the moment RIPE Atlas users can query their existing API keys via the

UI and API, including the possibility to retrieve old keys. In order to

improve the security of how we handle these, we'll introduce the

following changes in October 2023:

 

* The listing (retrieval) of keys will only reveal parts of the keys

(enough to identify them) in the API as well as in the UI.

 

* We'll add the ability to "regenerate" an API key, which will replace

the secret UUID of the key while keeping exactly the same permissions.

 

* Unused API keys will automatically be frozen after 1 year of not being

used. Active keys (i.e. the ones that have been used at least once) will

not be frozen.

 

You still have the ability to save your keys until these changes are

done and, as written above, you will be able to regenerate them later.

We'll notify this list when the changes are about to be done.

 

 

In addition, in order to further increase the security of our system, in

the long run we'll make changes about how these API keys are

communicated to the API:

 

* At the moment the API accepts these either in HTTP headers

("Authorization" header) or in the URL (?key=xyz), although the

Authorization header version has been documented as the preferred

version for some time.

 

* We'll deprecate and remove the ability to use the URL form in about a

year (around October 2024).

 

* We plan to send further reminders about this change over time, as well

as reaching out to heavy users of the to-be-removed format.

 

Regards,

Robert Kisteleki

RIPE Atlas team

 

 

 

 

--

ripe-atlas mailing list

ripe-atlas@ripe.net

https://urldefense.com/v3/__https://lists.ripe.net/mailman/listinfo/ripe-atlas__;!!GjvTz_vk!Wi_DSsCLVJtBYcJLq0JfVI0k44BDeJc2zPhdUEHSyCDx2T24Qq89J6xnw5w8g8AouyL-5xzkENJ0$