Generated API key scope


#1

We were using an API key that was generated by the API to manage devices over multiple applications. This functionality seems to have been broke. Are the API keys now only valid per application. If this is the case is the only workaround for shipping a product that can use the API across all applications to include the username and password?

Thanks,
-Areth


#2

Hey Areth,

Could you let me know the endpoint you are using for generating the API key?

If you are referring to the AUTH token in https://dashboard.resin.io/preferences/details - this token expires periodically and needs to be refreshed.


#3

Not the AUTH token. We used the AUTH token to generate the API key.

The only API key generation endpoint I could find is not documented in the API but is in the python SDK

api.resin.io/ewa/application/<app_is>/generate-api-key

I have an API key that was generated a while ago by another developer that used to work for the entire API (not just specific applications). I believe it was generated with a similar call to a generate-api-key endpoint but I can’t find a reference to that in your documentation. We were using to automate features for our users. For instance we would set an environment variable by calling:

POST: https://api.resin.io/ewa/device_environment_variable/?apikey=<api_key> with some data.

I was trying to figure out why these calls were failing and saw the application specific API key endpoint and wondered if that had replaced the old API wide key. If so that would explain why our old key stopped working.


#4

Hi @heyareth I am not aware of any API andpoint to generate API keys ( we provide the auth token mechanism instead ) but maybe @Page knows better

if you look at the docs, it is described using auth token https://docs.resin.io/runtime/data-api/#resource-environment-variables


#5

Cool. Thanks :slight_smile:

It definitely exists and is documented in a round about way in the Python SDK docs.

https://docs.resin.io/tools/python-sdk/#function-get_api_key-name-

Perhaps I am misreading the purpose of it or perhaps it was recently deprecated?


#6

Hey @heyareth, it’s not deprecated, but currently the API key that is generated there is non-revokable, so we do not document it currently. @Page has been working on the API keys story and may have additional info to add as well.


#7

The API key is indeed non-revokable at the moment, and as it is designed to be used on devices by the supervisor it is also restricted compared to a user token, so the issue you’re hitting is likely due to that restriction, there are plans to add a fully fledged API key system in future but I’m not sure what the status of that is