Skip to main content

Hi,

I have been reading about API keys here: https://success.clarizen.com/hc/en-us/articles/360011833079-API-Keys-Support and have hope someone here has experience about key management, especially with respect to their expiry.

The systems I will be having to give API access into AdaptiveWork are likely to be externally managed, so there will be time and cost associated with changing keys, and I am obviously trying to avoid any time periods where the external system cannot access AdaptiveWork.

I understand how to create an API key, but see that it has an expiry set on it by default of, I think, a year. Is there any way to create a key with a longer expiry (so I don’t need to worry about this ever ideally)?

If not, is there any way to extend the expiry date so a fresh key is not required? (and ideally generate a reminder that it needs doing).

If not is there a way to generate another key while the first key is still active - is this the intended usage of the secondary key?

N.B. I am asking about this from an operational point of view, and understand that extending keys may not be recommended from a security point of view, though I would argue that the difference in risk from a security point of view between a key valid for a year and one valid forever is minimal. 

Thanks

Julian

Hi ​@julianm.

At this time, there is no option to extend the expiry period of an API key. The recommended approach is to utilise the primary and secondary key rotation mechanism. For example, you can generate a primary key initially and create a secondary key at a later point (e.g., after six months). When the primary key reaches its expiry, the secondary key can be used immediately, and the primary key can then be regenerated.

This primary/secondary key strategy is considered a best practice to minimize potential downtime and ensure continuity in case a key becomes compromised.

Allowing API keys to never expire introduces significant security risks. From an application security (AppSec) perspective, an indefinitely valid key—if compromised—could be misused without limitation, which is a serious concern.

Please let us know if you have any further questions.