Confirming API keys

Security, Releases & Updates, d.velop documents changelog·August 28, 2024

Confirming API keys

Some apps use API keys to communicate with each other. For certain users, administrators can create API keys to interact with the apps on the users’ behalf. As an additional security mechanism, users can now reject API key-based interaction. This change will take effect immediately in the cloud; for on-premises deployments, the change will apply from Current version 2024.Q3.

What will change?

To make the creation of API keys transparent, users are now informed when the administrator creates an API key for them. Users are prompted to confirm or reject the API key in a notification dialog.

Where can users find the API keys that have been created for them?

For users with API keys, the item API keys appears in the user profile menu. Clicking this item opens an overview of all API keys for that user.

What happens to API keys that were created before the changeover?

All existing API keys that were created before the changeover will remain valid. Users will not receive a notification dialog for existing API keys. In the overview, existing API keys can be recognized by the fact that they do not contain any information about who created the key. Users can confirm the existing API keys in the overview by clicking Manage for the corresponding keys and then Confirm in the dialog that appears. To reject existing API keys, users must contact the administrator. Before rejecting an existing API key, users and administrators should check what the effects of the rejection will be.

This procedure for existing API keys applies up to and including the Annual 2025 version. From Current version 2025.Q2 (Current and Cloud versions) and Annual version 2026, existing API keys will also require confirmation, i.e. from this point onward, users will receive a notification dialog asking them to confirm or reject the existing API keys.

What happens when new API keys are created?

When the administrator creates a new API key for a user, the user receives an e-mail notification. The user also receives a notification dialog when logging into the software and for all interactions with the software. In the dialog, the user must perform a one-time confirmation or rejection of the API key. The administrator is notified by e-mail that the API key has been confirmed or rejected. If the user cancels the dialog, the administrator can request confirmation of an API key again. Rejected API keys become invalid and can no longer be used.

Important information

API keys that are created for your own user or technical users do not need to be confirmed.

We generally recommend that API keys should be created for technical users only (see https://kb.d-velop.de/s/article/000002207?language=en_US). In the long term, we will prevent the use of API keys for non-technical users. There is currently no specific release date for this change. In accordance with our Product Lifecycle Policy, we will announce the implementation at least 12 months in advance via the d.velop service portal. Along with the announcement, we will also provide you with recommendations for dealing with the change. In the meantime, we recommend that our partners change over their inter-app communication (see https://help.d-velop.de/dev/documentation/identityprovider-app#inter-app-communication-with-app-sessions).

Back