ACSP Consultation 2024.3: Consultation on API Key Handling
Consultation Tracking Information
- Requested By: Staff
- Status: Closed
- Comments Opened: Linked to Discussion Archives: 8 August 2024
- Comments Closed: 23 August 2024
- Suggestion Number: n/a
Consultation Description
ARIN is seeking feedback from the community on a potential improvement to increase the security for Application Programming Interface (API) key handling, specifically allowing the option to pass API keys in the header of a Restful Payload, and to use IP address range bounding to limit the validity of an API key. The benefit of this potential improvement is that it would give users options to make their API keys more secure and bring ARIN in line with best practices for API key handling.
ARIN’s RESTful Provisioning system leverages modern application interfaces and provides even stronger authentication. RESTful calls require the use of an API key. Since the development of these systems, best practices have evolved to make them more secure. When the API key is included in the payload, it is encrypted which increases the security of these programmatic transactions with ARIN systems. The current system relies on the security of the connection between the networks that transport these plain text API keys. How urgent is the need for ARIN to bring its API key handling in line with the current best practices?
By adding functionality to allow the API keys to be shared as a header parameter, ARIN would create an option for customers who prefer to encrypt their API keys. By further allowing customers to set IP address boundaries for an API key’s usage, they can better control how their API keys are used.
We are seeking community input on the priority for updating the methods for the handling of API keys in ARIN’s RESTful provisioning system.
Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at https://lists.arin.net/mailman/listinfo/arin-consult.
This consultation will remain open until 5:00 PM ET on 23 August. ARIN seeks clear direction through community input, so your feedback is important.
Thank you for your continued support to improve ARIN’s services.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
ARIN Actions
4 September 2024
From 8 August to 23 August, ARIN held a Consultation seeking feedback from the community on a potential improvement to increase the security for Application Programming Interface (API) key handling, specifically allowing the option to pass API keys in the header of a Restful Payload, and to use IP address range bounding to limit the validity of an API key. The benefit of this potential improvement is that it would give users options to make their API keys more secure and bring ARIN in line with best practices for API key handling.
After reviewing and discussing the comments received during the consultation, ARIN plans to add the option to pass the API key in the header of a RESTful payload. We will also investigate and scope the work needed to allow for IP address range bounding, noting that this feature should be available under Organization management tools to be managed by Admin or Tech contacts. Both improvements will be queued for inclusion in the development roadmap.
ARIN thanks those who provided valuable feedback on this consultation. We rely on this input from our members and community to help steer the organization as we continue our mission in support of the operation and growth of the Internet.