To configure and install Panel Service requires permission to initialize an API key and then read the resulting API key on the Install Service settings page.
Retrieval and rollover of API Keys is restricted to the Admin role.
API Keys are passed via header to bypass the normal .NET verification token validation that is applied to all requests. To bypass CSRF verification, the API Key value must be passed via the X-API-Key header, not via a query parameter
Read Key
To read the current API key perform a GET request to /api/tenant/apikey
The response if authorize is one of:
API Key does not yet exist:
{ "APIKey": null }
API Key exists and active
{ "APIKey": "api key value" }
API Key exists and has an expiry timestamp
{ "APIKey": "api key value", "Expiring": "true" }
NOTE: Identity Panel supports a single global API key per tenant, with the caveat that when a new key is created by default the previous key will continue to function for 1 week.
Set Key
Initializing or rolling over an API key is done via POST to /api/tenant/action/resetapikey. The content body is not considered so a simple "{}" payload is fine.
This endpoint generates a new 32 byte key using an RNGCryptoServiceProvider and converts it to a string using Url Base 64 encoding (- instead of +, _ instead of /,- instead of =).
Any existing API key will have an expiration time set one-week in the future, unless the "expire" query parameter is defined, in which case the previous key will be expired immediately.
Only one previous key is permitted to exist, so rolling over the API Key twice will immediately expire and remove the original first key.
If initialization or rollover is successful the returned result will be:
{ "APIKey": "api key value" }
Comments
0 comments
Please sign in to leave a comment.