Consultation on API Key Handling
Posted: Thursday, 08 August 2024
ACSP/Surveys
ARIN is seeking feedback from the community on a potential improvement to increase the security for Application Programming Interface (API) key handling, specifically allowing the option to pass API keys in the header of a Restful Payload, and to use IP address range bounding to limit the validity of an API key. The benefit of this potential improvement is that it would give users options to make their API keys more secure and bring ARIN in line with best practices for API key handling.
ARIN’s RESTful Provisioning system leverages modern application interfaces and provides even stronger authentication. RESTful calls require the use of an API key. Since the development of these systems, best practices have evolved to make them more secure. When the API key is included in the payload, it is encrypted which increases the security of these programmatic transactions with ARIN systems. The current system relies on the security of the connection between the networks that transport these plain text API keys. How urgent is the need for ARIN to bring its API key handling in line with the current best practices?
By adding functionality to allow the API keys to be shared as a header parameter, ARIN would create an option for customers who prefer to encrypt their API keys. By further allowing customers to set IP address boundaries for an API key’s usage, they can better control how their API keys are used.
We are seeking community input on the priority for updating the methods for the handling of API keys in ARIN’s RESTful provisioning system.
Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at https://lists.arin.net/mailman/listinfo/arin-consult.
This consultation will remain open until 5:00 PM ET on 23 August. ARIN seeks clear direction through community input, so your feedback is important.
Thank you for your continued support to improve ARIN’s services.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
Recent Announcements
- Happy Holidays from ARIN!
- Volunteer to Serve on the 2025 ARIN Fellowship Selection Committee
- Consultation on Reg-RWS Improvements
- Reminder - ARIN Will Only Support TLS 1.2 and TLS 1.3 Cryptographic Features Across All ARIN Services As of 3 February 2025
- UPDATE - Consultation on Reallocation Control Features
- Reclassification of Inactive General Members Completed 18 November 2024
- ARIN 54 Meeting Report Now Available
- 2024 ARIN Election Results
- ARIN Makes Second Contribution to IETF Endowment
- NOW CLOSED - Consultation on Reallocation Control Features
- » View Archive