Book IndexHideShow
Back to topic

Cloud Application Security

API Key Management

API Key Management

Create and manage API keys with granular permissions and sub account access, enabling you to integrate Imperva into your environment and streamline processes. For example, you can automate security responses, integrate dashboards and reports, or onboard new sites.

In this topic:

Overview

The account administrator or a user with equivalent permissions can manage API Keys.

  • API keys inherit the user's permissions and sub account access.
  • Any user with the Manage API keys permission can create and manage their own API keys (up to 5 keys per user account).
  • The account admin or any user with the appropriate permissions (Manage users and permissions and Manage API keys) can create and manage keys for all account users.
  • Add a name and description to an API key to indicate what it is used for.
  • Export key details. This action exports details such as user, name, description, and status in csv format. It does not export the key itself.

Log integration: The API Key/ID which is used for logs is available on the Log Setup page only. It is not listed here.

Create and manage API keys

Add, edit, enable, disable, reset, and delete API keys.

Note: When you reset an API key, the API ID remains the same and a new key is generated that overrides the previous one.

Account Admin or user with the appropriate permissions:

  1. In the Cloud Security Console, on the sidebar, click Management > Users.
  2. Click a user row to open the Settings panel.

  3. Click Add API Key to generate the API ID and Key.
  4. Copy the details from the popup window. Once the pop up window with the generated ID & key is closed, you will no longer be able to retrieve the key.

User with limited permissions:

  1. In the Cloud Security Console, on the sidebar, click Management > API Keys.

  2. Click Add API Key to create a new key.

  3. Copy the details from the popup window. Once the pop up window with the generated ID & key is closed, you will no longer be able to retrieve the key

  4. Select an option under the More column to edit, enable/disable, reset, or delete a key.

Examples

User Scenario
Marketing administrator Reporting. This user does not require special permissions and can use an API key to get statistics and event data for internal reporting purposes.
Devops engineer Site configuration. This user has permissions to modify site settings and can use an API key for automating site configuration.
Security engineer Defining rules. This user has permissions to modify site settings and can use an API key for configuring rules to implement their own security, delivery, and access control rules .
Application engineer

Purging the cache. This user has permissions to modify site settings and can use an API key for clearing all resources in the cache after a major change to their website, such as following a version update.

API key expiration

When you create or reset an API key, you can set an expiration date. By default, API keys do not expire.

You can select the following time periods for expiration:

  • 3 months
  • 6 months
  • 1 year
  • Never

Grace period

  • Expired API key: When an API key has expired, you can still use it for a grace period of two weeks.
  • Reset API key: When you reset an existing API key, the previous key will still work for a period of two weeks from its expiration date or from the time it is reset - whichever comes first.
  • Additional reset during the two week grace period: Resetting the key more than once within the grace period cancels any earlier key resets. The grace period is valid for the last reset only. The keys generated by previous resets are no longer valid.

Extending the validity period of the API key

Email notifications will be sent to you before the API key expires. The email will include a link enabling you to extend the validity of the API key for two weeks.

Read More

Join the Discussion