Deep Security API keys enable you to authenticate your API calls with Deep Security Manager. API keys provide a secret key that you include in your HTTP request headers that the manger authenticates. Each API key is also associated with a user role that determines the actions that you can perform. An expiry date determines when key access terminates.
You can create API keys using the Deep Security Manager UI or the API:
- Create an API key using code
- Create an API key using Deep Security Manager
- Manage API keys after their creation
Secure your secret keys
Implement API key-management strategies to maximize their security and prevent system compromise.
Due to the similarities between API key secret keys and cryptographic secret keys, you can adopt estabished best practices for managing cryptographic keys. The Open Web Application Security Project (OWASP) publishes a Key Management Cheat Sheet. Many of the items in the Key Management LifeCycle Best Practices section can be applied to the secret keys of API keys.
If you are storing secret keys, you can use a key management system to encrypt, store, and decrypt your secret keys, such as the Amazon Key Management Service (KMS). Similarly you can use a trusted platform module (TPM).
Consider regularly rotating keys to prevent access in the event that API keys are compromised. Alternatively, you can create API keys as needed and then delete them after use, or set a short expiry date.