Generated API key scope

heyareth · April 12, 2017, 9:28pm

We were using an API key that was generated by the API to manage devices over multiple applications. This functionality seems to have been broke. Are the API keys now only valid per application. If this is the case is the only workaround for shipping a product that can use the API across all applications to include the username and password?

Thanks,
-Areth

lifeeth · April 13, 2017, 7:53am

Hey Areth,

Could you let me know the endpoint you are using for generating the API key?

If you are referring to the AUTH token in https://dashboard.resin.io/preferences/details - this token expires periodically and needs to be refreshed.

heyareth · April 14, 2017, 5:47pm

Not the AUTH token. We used the AUTH token to generate the API key.

The only API key generation endpoint I could find is not documented in the API but is in the python SDK

api.resin.io/ewa/application/<app_is>/generate-api-key

I have an API key that was generated a while ago by another developer that used to work for the entire API (not just specific applications). I believe it was generated with a similar call to a generate-api-key endpoint but I can’t find a reference to that in your documentation. We were using to automate features for our users. For instance we would set an environment variable by calling:

POST: https://api.resin.io/ewa/device_environment_variable/?apikey=<api_key> with some data.

I was trying to figure out why these calls were failing and saw the application specific API key endpoint and wondered if that had replaced the old API wide key. If so that would explain why our old key stopped working.

curcuz · April 14, 2017, 6:01pm

Hi @heyareth I am not aware of any API andpoint to generate API keys ( we provide the auth token mechanism instead ) but maybe @Page knows better

if you look at the docs, it is described using auth token https://docs.resin.io/runtime/data-api/#resource-environment-variables

heyareth · April 21, 2017, 5:51pm

Cool. Thanks

It definitely exists and is documented in a round about way in the Python SDK docs.

https://docs.resin.io/tools/python-sdk/#function-get_api_key-name-

Perhaps I am misreading the purpose of it or perhaps it was recently deprecated?

shaunmulligan · April 21, 2017, 6:56pm

Hey @heyareth, it’s not deprecated, but currently the API key that is generated there is non-revokable, so we do not document it currently. @Page has been working on the API keys story and may have additional info to add as well.

_Page · April 21, 2017, 7:41pm

The API key is indeed non-revokable at the moment, and as it is designed to be used on devices by the supervisor it is also restricted compared to a user token, so the issue you’re hitting is likely due to that restriction, there are plans to add a fully fledged API key system in future but I’m not sure what the status of that is

Topic		Replies	Views
Auth Token without expiration to use API Product support	13	2919	May 2, 2018
Some questions about the Resin API Product support	6	575	April 28, 2018
Token Expired - resin.auth.loginWithToken Product support support	3	733	May 2, 2018
Server to Server Authentication Product support support , raspberrypi3	11	1008	May 2, 2018
AWS IOT + Resin.io. How to prevent illegal key generation Product support	2	651	October 27, 2017

Generated API key scope

Related topics