Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Watching Out for Your API Keys and Tokens on Open Internet

DZone's Guide to

Watching Out for Your API Keys and Tokens on Open Internet

Auth0's password breach detection service could be the start of a new default method of handling API security. See why it matters and how it could impact the industry.

· Integration Zone ·
Free Resource

WSO2 is the only open source vendor to be named a leader in The Forrester Wave™: API Management Solutions, Q4 2018 Report. Download the report now or try out our product for free.

I was just learning about Auth0's new password breach detection service, adding to the numerous reasons why you'd use their authentication service instead of going at it on your own. It's an important concept I wanted to write about so that it was added to my research and present in my thinking around API authentication and security going forward.

Keeping an eye out for important identity and authentication related information used as part of my API consumption is a lot of work — it is something that I'd love to see more platforms assist me with. I've written about AWS communicating with me around my API keys, and I could see an API key and token management solution be built on top of their AWS Key Management Service. I've also received emails from Github about my OAuth token that show up in a public repo (happened once).

Many application developers do not have the discipline to always manage API keys and tokens in a safe and secure way (guilty). It seems like something that could become default for API providers — if you issue keys and tokens, then maybe you should be helping consumers keep an eye out for them on the open Internet. Which smells like an opportunity for some API-focused security startup. 

Have you seen any other API providers provide key and token monitoring services? Is there anything that you do as an API consumer to keep an eye out for your own keys and tokens? Search for them on Github via the API? Manually search on Google? I am curious to learn more about what people are doing to manage their API keys and tokens.

IAM is now more than a security project. It’s an enabler for an integration agile enterprise. If you’re currently evaluating an identity solution or exploring IAM, join this webinar.

Topics:
services ,monitoring ,token ,password ,api key ,solution ,aws ,authentication

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}