Tokens are required to access the integrator.io API. Account owners and administrators can use the integrator.io API to perform add/edit/delete operations on any resource in their account. Only these two roles can view the API tokens page.
Contents
- Manage and retrieve the API token
-
Common questions
- Why am I getting token email notifications?
- How often does a token expire?
- Why is the API key in plain text?
- Is the API key committed to any source code repository?
- Why can't API keys use ENV variables or a secret management system where keys are not exposed in plain text?
- Why does the API key require full access and not read only?
- Why did we not get this alert in the test environment and only in the production environment?
- Is the API key protected behind a secure login or are these workflows available widely?
- Do we have any audit mechanism to who is logging in to the accounts that have access to the key?
- How do I get a token value in the response header?
- Can I perform CRUD operations with API tokens that have custom scopes?
Manage and retrieve the API token
You can manage your tokens in the API tokens page or the Integration App’s Admin tab; several options are available under Action:
- Edit API token
- View audit log
- Revoke API token
- Generate new API token
To copy the token, click Show token and select the copy button ( ).
Common questions
Why am I getting token email notifications?
If you're the account owner or administrator, you'll receive an email alert notification every time a token is created, accessed, modified, or if a token is viewed in plain text (to expose the actual token) to inform you of the activity. This is a security measure, to make you aware of any activity involving these tokens. You can review the audit logs in your account to determine who created, accessed, modified, or viewed the token in plain text.
If you suspect that your account password has been compromised, click the user avatar icon > My account. In the My account page, click the pencil icon next to Password to specify a new password.
Note that the actual token is never revealed in the email or via the user interface, unless the user with access permissions actively clicks to view the token.
How often does a token expire?
API tokens expire at an interval that you choose. The token can be automatically purged:
- Never
- After 1 hour
- After 4 hours
- After 1 day
- After 4 days
- After 10 days
- After 30 days
Why is the API key in plain text?
Only owners and administrators can view these tokens in plain text. If an owner or an administrator clicks the view token button, an email notification is sent to the account owner and all administrators of the account.
Is the API key committed to any source code repository?
Tokens are securely generated and are unique to each customer’s account and token instance. The keys are safely secured in a database and are not stored in any code repository. The same security measures for storing credentials are used for API key encryption and safety.
Why can't API keys use ENV variables or a secret management system where keys are not exposed in plain text?
Only account owners or administrators with Developer mode enabled can view tokens as needed for debugging purposes. API tokens have two classifications:
-
Account-level API tokens:
- For custom integrations, users can perform Create, Read, Update, or Delete (CRUD) operations.
- For integration apps, users can perform Read and Update operations, but tokens are restricted from creating or deleting integration app data.
- Updates are also limited to specific fields that can only be configured from within the user interface.
-
Integration app-level API tokens:
- Users can use these tokens to trigger exports and imports.
Why does the API key require full access and not read only?
The main purpose of the tokens is to enable developers to debug or build features on integrator.io via the API (instead of through the user interface).
Why did we not get this alert in the test environment and only in the production environment?
An alert is always triggered if an API key is viewed in plain text. Contact Celigo support if you don't receive a notification.
Is the API key protected behind a secure login or are these workflows available widely? If it is protected behind a login who are the people with access to this?
Only users logged in as account owners or administrators can view API keys.
Do we have any audit mechanism to who is logging in to the accounts that have access to the key?
Tokens have audit info like any other integrator.io resource.
How do I get a token value in the response header?
To get a refresh token value in your response header, add the following handlebars statement to your request {{connection.rest.header.<token-name>}}.
Can I perform CRUD operations with API tokens that have custom scopes?
When you create an access token for connections, exports, or imports, you can't perform create, read, update, or delete (CRUD) operations on those resources. Export scopes will provide access to invoke the exports, but will not allow CRUD operations on any export. Import scopes will provide access to invoke the imports, but will not allow CRUD operations on any import.
Connection scopes allow you to invoke virtual exports and imports for a given configured connection.
- POST /connections/{_id}/export
- POST /connections/{_id}/export/pages
- POST /connections/{_id}/import
- POST /connections/{_id}/proxy
Comments
2 comments
Hi,
Even when we select the Auto purge token as Never, the token is not showing in IO.
Sorry for the delay, UPPAbaby Admin. I tried to reproduce this scenario, but I'm using the latest build, which would be a newer version than what you had available in your initial thread.
No matter what permissions I set for the token, I see the familiar "Show token" option. Do you see anything in the "Token" column now in the API tokens page?
Please sign in to leave a comment.