can we get specific api endpoint url for automated token generation/rotation and get the token details ?
While creating test access token "test" on the developer access token portal (https://dev.reuters.arcpublishing.com/developer/access/tokens), got the below command.
curl -H "Content-Type: application/json" \
-H "Authorization: Bearer *******" \
-X GET https://api.dev.reuters.arcpublishing.com/site/v3/website/
Nikunj Ramani
Is there any update on this?
Long-lived API tokens are a significant security risk. Tokens tend to sprawl, developers make mistakes, and developers are sometimes actively targeted by attackers.
An attacker with a token can cause severe damage.
Exposed long-lived credentials were one of the top causes of cloud security incidents according to a study by Datadog in 2022 (https://securitylabs.datadoghq.com/articles/public-cloud-breaches-2022-mccarthy-hopkins/#exposed-long-lived-cloud-credentials).
OWASP has an extra section on the topic in its Secrets Management Cheat Sheet. (https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html#272-rotation)
Escape provides some up-to-date statistics in its study “The API Secret Sprawl” (https://escape.tech/the-api-secret-sprawl-2024)
Manual rotation is not a feasible or reliable solution.
We use AWS Secrets Manager to store tokens. For APIs that support it, we rotate them automatically using a Lambda Function (https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_lambda.html).
This works well, for example, with the Grafana API (https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#create-service-account-tokens).
An API Endpoint like Grafana’s Service Account API would be great.
Thanks for the suggestion! Enabling token rotation is something we've discussed but we don't have near-term plans on this front.
Ryan