Managing API Keys at an Organizational Level

ZianChoy · ‎03-10-2022

My company has >1 software developer. Assuming that each developer has his own set of API keys in addition to a few keys that everyone uses for accessing relatively safe things like AGOL basemaps, how can an organization monitor the API key usage and billing?

I'm also worried that if someone steals an API key and misuses it, we can never delete the key. If I delete the key, then there seems to be no way to see how many of the basemap tiles used by a developer account was used by the thief.

Is this true? Are API keys forever on pain of losing visibility into a key's usage?

If so, then the only way to kill a key will be to set its "referer" requirement to a securely-generated random string like https://EvNrXskTnL59QfRFPFKVcGza.esri.com and swap out the random string on a regular basis.

Raul_Jimenez · ‎05-13-2022

Hi Zian,

Thank you for your question.

In terms of security, we strongly recommend always setting referrers among other things you can read here. To learn how to create API keys programmatically, you can refer to this Postman collection you can use the createApiKey function implemented in ArcGIS REST JS.

About monitoring usage you are right, from an organizational point of view there is no dashboard to monitor the use of all API keys. If I am not wrong it is something that is being worked on, just in case I have checked ArcGIS Ideas, but I haven't seen that idea being shared.

I recommend you to request that feature in this forum, if you do, please explain to us what functionality/filters/etc you would like to find there. This is the best way to share your requests with the product teams. If you have an example of the ideal dashboard you would like to see, please feel free to share it with other colleagues. The most upvotes it receives, the better.

View solution in original post

Raul_Jimenez · ‎05-13-2022

Hi Zian,

Thank you for your question.

In terms of security, we strongly recommend always setting referrers among other things you can read here. To learn how to create API keys programmatically, you can refer to this Postman collection you can use the createApiKey function implemented in ArcGIS REST JS.

About monitoring usage you are right, from an organizational point of view there is no dashboard to monitor the use of all API keys. If I am not wrong it is something that is being worked on, just in case I have checked ArcGIS Ideas, but I haven't seen that idea being shared.

I recommend you to request that feature in this forum, if you do, please explain to us what functionality/filters/etc you would like to find there. This is the best way to share your requests with the product teams. If you have an example of the ideal dashboard you would like to see, please feel free to share it with other colleagues. The most upvotes it receives, the better.

ZianChoy · ‎05-31-2022

>swap on a regular basis and delete/disable old keys

https://developers.arcgis.com/documentation/mapping-apis-and-services/security/security-best-practic... says "Rotate and delete your API keys periodically and routinely, replacing existing API keys with new API keys."

I'm trying to find a way to do what the documentation says without obliterating the historical usage data.

Thanks for suggesting the ArcGIS Ideas website.

Raul_Jimenez · ‎08-03-2022

Sorry @ZianChoy as far as I know, there is no way to do it without losing the historical usage data 🙁.

The only way that comes to my mind is to export the usage data and consolidate it into another system.

There are two ways to export the usage data:

Using the REST API (https://www.arcgis.com/community/users/[userName]/report)
Or creating usage reports through the interface (which behind the scenes uses that endpoint):

I hope this helps.

ZianChoy · ‎08-11-2022

Thanks. It looks like the best I can do is to run that report using the "daily" timeDuration after 2 days have passed and all the #s have settled down.

Raul_Jimenez · ‎08-12-2022

I think so.

I have also being talking to a colleague, and he told me he will try to write and publish a script to pull the consumption data from the API directly. If he does it he will publish it on this repo: https://github.com/esrinederland/CoolScripts

Cheers

Raul_Jimenez · ‎05-31-2022

Hi @ZianChoy,

Anything else we can do to help?

Thanks!
P.S. I'll wait a few days, and if there is no more activity I'll accept my previous response as "Solution" to move on 😉