question

Chuck avatar image
Chuck asked

Managing and using API keys at organization level

If this is documented somewhere, please point me to it, but I haven't been able to find answers to these questions.

  1. It seems that API keys can only be created by a user for their own use. Is that true, or is there a way to create and manage API keys at an organization level?

    My primary reason for asking is that a deployment of our company's application in the cloud doesn't correspond with an individual Telnyx user -- it's a service. If we deploy with a key tied to a specific user, that precludes other sysadmins from rotating the key, and it's a problem if the user leaves the company. We could create a fake user solely for managing our "service" keys, but that requires sharing the fake user's credentials amongst ourselves and adds tedium.

  2. Is there a way for an admin/owner in the Telnyx account to supervise members' API key usage, and especially to deactivate keys?

  3. Is there a way to scope an API key to a specific set of resources, for example to have separate keys for different deployments of our application?

    Basically we need a development key that grants access to our development SIP trunk and DIDs, another for staging trunk and DIDs, and another for production. A key that we use in our development environment to experiment with features shouldn't be allowed to inadvertently modify our production trunk, etc. How can we accomplish this?

Thank you!

EDIT: Numbering and formatting.

help
10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

2 Answers

·
klane@telnyx.com avatar image
klane@telnyx.com answered

Thanks for your detailed and organized request. I checked some of organization docs and our "Managed Account" feature but no options to manage API keys organizationally. You may of course deactivate and create keys in the portal>home>manage api keys. 293-screen-shot-2023-03-02-at-125456-pm.png

A workaround that I have used before when sharing API Keys was a concern was to put users into billing groups so that a single API key could be used and then each customer would be billed separately. This may be trickier if spread across multiple Telnyx accounts, not sure if this implementation would work in that case. This could be a possible workaround you could test for your application.

My understanding is that these asks are unavailable in a current state. It is excellent feedback that I will take to the team to see what options we have and what implementation would look like. Are these requests you'd like to be able to manage via API or Portal or both?


screen-shot-2023-03-02-at-125456-pm.png (348.2 KiB)
screen-shot-2023-03-02-at-125456-pm.png (348.2 KiB)
10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

klane@telnyx.com avatar image
klane@telnyx.com answered

Also here was some feedback from one of the product managers I wanted to share with you, this is not set in stone so subject to change:

I'm going to respond to these questions out of order, but hopefully it makes sense. This is all from a single organization standpoint and not from a Managed Accounts scenario - not that the ideas couldn't be extended, but it's easier to focus on the former and then iterate for the latter. Edge squad is currently (and has been) working towards providing "scoped api keys" which is what they're requesting in question #3. Our first iteration will be providing the scoped permissions on the user, and whatever keys they create have the same permissions as the account. This is the easiest way for us to provide scoped keys - thinking of it like creating a "service user". In their question #1, they're saying that's exactly what they don't want :sweat_smile: We will get there, but we have to start somewhere - aiming for release later this year (late Q2/early Q3). We'll also be providing optional key expiration. And then later, scoping keys to a subset of the permissions available to a user. 1 - They're correct about the current limitations. We'll take this feedback about managing keys organizationally. 2a - We are working on a way to enable users to view auth (so api key) related events on their account. I don't believe we had discussed "sub accounts" though or viewing for an entire organization - good feedback to have. 2b - Similar to my response to #1, we'll look at overall organization key management features.

10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Manage Your Content

Spaces