Re: Changes to RIPE Atlas API keys
Hi!
* We'll deprecate and remove the ability to use the URL form in about a year (around October 2024). * We plan to send further reminders about this change over time, as well as reaching out to heavy users of the to-be-removed format.
It’s October 2024. Is this plan still valid? I admit that I have a bunch of tools which use URL form which I would have to update to use "Authorization" header. Regards, Grzegorz From: Robert Kisteleki <robert@ripe.net> Organisation: RIPE NCC Date: Tuesday, 19 September 2023 at 12:11 To: "ripe-atlas@ripe.net" <ripe-atlas@ripe.net> Subject: [atlas] Changes to RIPE Atlas API keys Dear RIPE Atlas users, We'd like to update you on some upcoming changes regarding API keys in RIPE Atlas. TL;DR nothing changes regarding how you can use your API keys in the short term - as long as you're actually using them. However, we'll change how unused or forgotten keys are handled as well as remove the less secure in-URL use of them. At the moment RIPE Atlas users can query their existing API keys via the UI and API, including the possibility to retrieve old keys. In order to improve the security of how we handle these, we'll introduce the following changes in October 2023: * The listing (retrieval) of keys will only reveal parts of the keys (enough to identify them) in the API as well as in the UI. * We'll add the ability to "regenerate" an API key, which will replace the secret UUID of the key while keeping exactly the same permissions. * Unused API keys will automatically be frozen after 1 year of not being used. Active keys (i.e. the ones that have been used at least once) will not be frozen. You still have the ability to save your keys until these changes are done and, as written above, you will be able to regenerate them later. We'll notify this list when the changes are about to be done. In addition, in order to further increase the security of our system, in the long run we'll make changes about how these API keys are communicated to the API: * At the moment the API accepts these either in HTTP headers ("Authorization" header) or in the URL (?key=xyz), although the Authorization header version has been documented as the preferred version for some time. * We'll deprecate and remove the ability to use the URL form in about a year (around October 2024). * We plan to send further reminders about this change over time, as well as reaching out to heavy users of the to-be-removed format. Regards, Robert Kisteleki RIPE Atlas team -- ripe-atlas mailing list ripe-atlas@ripe.net<mailto:ripe-atlas@ripe.net> https://urldefense.com/v3/__https://lists.ripe.net/mailman/listinfo/ripe-atlas__;!!GjvTz_vk!Wi_DSsCLVJtBYcJLq0JfVI0k44BDeJc2zPhdUEHSyCDx2T24Qq89J6xnw5w8g8AouyL-5xzkENJ0$<https://urldefense.com/v3/__https:/lists.ripe.net/mailman/listinfo/ripe-atlas__;!!GjvTz_vk!Wi_DSsCLVJtBYcJLq0JfVI0k44BDeJc2zPhdUEHSyCDx2T24Qq89J6xnw5w8g8AouyL-5xzkENJ0$>
Hello, TL;DR there's still heavy use of the old method, so we need to extend this timeline; I'll put energy into reaching out to identifiable top users. In the last month the key vs. header use was about 50-50, so clearly we can't remove support for the old method just yet. There are some heavy hitters, so assuming they can make the change there's a chance this can change. It also helps the cause if you can make this change as well :-) As an explicit call for action for the users reading this: when you use API keys, please use the authorization header ("Authorization: Key xxxxxxx") instead of the query parameter (?key=xxxx). The other changes were executed as planned. Regards, Robert On Fri, Oct 18, 2024 at 1:34 AM Ponikierski, Grzegorz <gponikie@akamai.com> wrote:
Hi!
* We'll deprecate and remove the ability to use the URL form in about a
year (around October 2024).
* We plan to send further reminders about this change over time, as well
as reaching out to heavy users of the to-be-removed format.
It’s October 2024. Is this plan still valid? I admit that I have a bunch of tools which use URL form which I would have to update to use "Authorization" header.
Regards,
Grzegorz
Robert, is it safe to assume that URL method will be still available till the end of November? Regards, Grzegorz From: Robert Kisteleki <robert@ripe.net> Date: Friday, 18 October 2024 at 09:10 To: "Ponikierski, Grzegorz" <gponikie@akamai.com> Cc: "ripe-atlas@ripe.net" <ripe-atlas@ripe.net> Subject: Re: [atlas] Changes to RIPE Atlas API keys !-------------------------------------------------------------------| This Message Is From an External Sender This message came from outside your organization. |-------------------------------------------------------------------! Hello, TL;DR there's still heavy use of the old method, so we need to extend this timeline; I'll put energy into reaching out to identifiable top users. In the last month the key vs. header use was about 50-50, so clearly we can't remove support for the old method just yet. There are some heavy hitters, so assuming they can make the change there's a chance this can change. It also helps the cause if you can make this change as well :-) As an explicit call for action for the users reading this: when you use API keys, please use the authorization header ("Authorization: Key xxxxxxx") instead of the query parameter (?key=xxxx). The other changes were executed as planned. Regards, Robert On Fri, Oct 18, 2024 at 1:34 AM Ponikierski, Grzegorz <gponikie@akamai.com<mailto:gponikie@akamai.com>> wrote: Hi!
* We'll deprecate and remove the ability to use the URL form in about a
year (around October 2024).
* We plan to send further reminders about this change over time, as well
as reaching out to heavy users of the to-be-removed format.
It’s October 2024. Is this plan still valid? I admit that I have a bunch of tools which use URL form which I would have to update to use "Authorization" header. Regards, Grzegorz
Hello, Yes it is safe to assume that - this is not urgent, it will take time until we reach negligible use of the URL method. Regards, Robert On Mon, Oct 21, 2024 at 5:27 PM Ponikierski, Grzegorz <gponikie@akamai.com> wrote:
Robert, is it safe to assume that URL method will be still available till the end of November?
Regards,
Grzegorz
From: Robert Kisteleki <robert@ripe.net> Date: Friday, 18 October 2024 at 09:10 To: "Ponikierski, Grzegorz" <gponikie@akamai.com> Cc: "ripe-atlas@ripe.net" <ripe-atlas@ripe.net> Subject: Re: [atlas] Changes to RIPE Atlas API keys
!-------------------------------------------------------------------|
This Message Is From an External Sender
This message came from outside your organization.
|-------------------------------------------------------------------!
Hello,
TL;DR there's still heavy use of the old method, so we need to extend
this timeline; I'll put energy into reaching out to identifiable top
users.
In the last month the key vs. header use was about 50-50, so clearly
we can't remove support for the old method just yet. There are some
heavy hitters, so assuming they can make the change there's a chance
this can change. It also helps the cause if you can make this change
as well :-)
As an explicit call for action for the users reading this: when you
use API keys, please use the authorization header ("Authorization: Key
xxxxxxx") instead of the query parameter (?key=xxxx).
The other changes were executed as planned.
Regards,
Robert
On Fri, Oct 18, 2024 at 1:34 AM Ponikierski, Grzegorz
<gponikie@akamai.com> wrote:
Hi!
* We'll deprecate and remove the ability to use the URL form in about a
year (around October 2024).
* We plan to send further reminders about this change over time, as well
as reaching out to heavy users of the to-be-removed format.
It’s October 2024. Is this plan still valid? I admit that I have a bunch of tools which use URL form which I would have to update to use "Authorization" header.
Regards,
Grzegorz
participants (2)
-
Ponikierski, Grzegorz
-
Robert Kisteleki