Developer

API Keys

The API Keys view in the Auth.it Dashboard allows you to create and manage the API keys used to programmatically access the Auth.it administrative API.

API Keys view

Creating an API key

To create a new API key, click Add API Key at the top right. In the Add API Key dialog, enter a name that will also be used as the client ID, and select the permissions you want to grant to the key.

Adding an API key

When creating a key, follow the principle of least authority and grant only the minimum permissions required for your application to function. This helps reduce security risks and limit the potential impact of security incidents.

Once the key has been created, you can copy the client ID and secret from the list of keys.

The list of API keys

If you believe that an API key has been compromised, invalidate it by deleting it from the list. To delete an API key, open the three-dot menu to the right of a key entry, then click Delete:

Deleting an API key

Using an API key

Each API key consists of a client ID and a client secret:

  • The client ID is a public identifier for the application that will call the API.
  • The client secret should only be known to your application and Auth.it; it serves as the password.

Together, the client ID and secret are used to request a short-lived access token from Auth.it. This token can then be included in the Authorization: Bearer header of each API request. This indirection reduces the risk of token compromise or replay attacks.

To learn more about authenticating with and using the Auth.it API, see the API documentation, especially the SDK guide.