Authorization - API keys
Spark allows users to manage the API keys used authenticate calls to Spark APIs.
API key terminology
An API key group can contain multiple API key instances.
A key instance would correspond to an API key that is used for authentication.
Multiple key instances are useful for managing key rotation where the "to be" deactivated and next API key have an overlap for continuity.
An API key group represents the combined access rights of multiple user groups.
By default an API key will be able to call the following APIs:
See Permissions - Features permissions to allow API keys to access additional APIs.
API key groups
API keys on Spark are grouped together for ease of management into an API Key Group. Tenant-admins are the only users who are allowed to view these API keys (in encrypted format). All other users will not be able to see this page.
View API key groups
Login using
tenant-admincredentials.Choose Options from the User menu.
In the left-hand navigation that appears, select API keys.
This will show you a list of API key groups on the environment and relevant information.
There are also a few additional features on this page:
Enter an entire API key into the search filter and press Enter. The associated API key group will be filtered.
API key groups can also be filtered by the user groups they contain.
Hover on the last used time to see the exact time and date an API was called using the specific key.
API key groups that have soon-to-be expiring API key instances will have a yellow indicator. The indicator follows the logic described in API key expiry warning.
Add API key groups
There can be many reasons to create a new API key group:
Create API keys to make API calls to some/all services in Spark
Different applications or teams require a separate set of API keys. An API key that accesses the minimum number of required Spark services is more secure.
Using a different set of API keys that require elevated permissions to Spark's, see Permissions - Features permissions.
Once an API key group is created, it cannot be edited or deleted!
An API key is only displayed once! Please save the key in a secure location!
Click on New API key group from the top right corner.
Enter the required information.
The choice of User groups is important. If multiple user groups are selected, the API key instances generated from this API key group will have the greatest of the permissions across the API key groups.
For a Shared Tenant, where users have access to all folders and services within a tenant:
Only 1 API key group should be necessary, one that includes only
user:pf.Including
tenant-admininto a key group is only needed if the aim is to use the API key instances to orchestrate tasks that would be performed by atenant-admin.
For a Private tenant, where users have have restricted access to folders and services:
Multiple key groups can be assigned, however:
API keys will include permissions from the assigned user groups.
For any overlapping permissions, the greater permissions will apply.
When creating an API key group, a first API key instance is also created. Define the active and expiry dates of the API key instance.
Click Confirm to create the key group.
The API key will be displayed. The modal cannot be closed unless the API key has been copied.
API key instances
Multiple API key instances can be generated inside an API key group to allow for key rotation. This can be used to reduce the impact of keys that may be exposed externally. Keys can also be instantly deactivated.
API key instances take the same name, description, and user groups as their parent API key group.
View API key instances
Follow View API key groups to arrive at the API keys screen.
Click the API key group of focus.
This will show you a list of API key instances and relevant information including the API key status and API key warning.
There are also a few additional features on this page:
Enter an entire API key into the search filter and press Enter. The API key instance will be displayed with the associated information.
API key instances can also be filtered by their status, active dates, or usage.
API key groups that have soon-to-be expiring API key instances will have a yellow indicator. See API key expiry warning.
API key status
Active
Keys that can currently be used.
Active in the future
Key that will be active in the future.
Expired
Key that is past the validity date.
Deactivated
Deactivated by user intervention.
API key expiry warning
The yellow API key expiry warning indicator is shown based on the following logic.
≤1 days
The warning will always appear.
≤5 days
From the 2nd valid date of the key instance until key expiry.
≤7 days
From the 5th valid date of the key instance until key expiry.
≤31 days
From the 24th valid date of the key instance until key expiry.
Add API key instances
An API key is only displayed once! Please save the key in a secure location!
Follow View API key instances to arrive at the API key instance screen.
Click New API key and choose one of 2 options:
Generate API key where Spark will generate a random API key.
Create custom API key where the user can enter their own key.
Specify the active period for the new API key instance.
If Generate API key was selected:
The API key will be displayed. The modal cannot be closed unless the API key has been copied.
If Create custom API key was selected:
The modal will display an input box for to add an API key string. The key MUST be be 20 to 128 characters long and contain only alphanumeric characters or the dash character
-.Click Create.
The API key will be displayed again. The modal cannot be closed unless the API key has been copied.
Change the active period
API key active periods can be extended if a key is about to expire.
Follow View API key instances to arrive at the API key instance screen.
Click on the "three-dot menu" and select Edit active period.
Modify the active dates and click Confirm.
Spark will indicate if the change has been made.
Deactivate API key instances
A deactivated API key instance will not be able to call Spark APIs.
Follow View API key instances to arrive at the API key instance screen.
Click on the "three-dot menu" and select Deactivate.
Confirm the change.
Spark will indicate if the change has been made.
Reactivate API key instances
A deactivated or expired key can be reactivated at any time.
Follow View API key instances to arrive at the API key instance screen.
Filter for Expired or Deactivated statuses.
Click on the "three-dot menu" and select Reactivate.
Set the active dates and click Confirm.
Spark will indicate if the change has been made.
Use an API key
For APIs that accept API keys, the request header must include:
x-synthetic-keyfor the API key.x-tenant-namefor the tenant name.
List API keys with an API call
Enhancements are planned to the API key management and this API may replaced in the near future.
Get a list of API key instances.
Returns: List of API key instances including name, description, user groups, active and expiry dates.
With this information, the data can be used to extract expiration metadata, evaluate lifetime thresholds, trigger internal notifications.
Sample request
Sample response
HTTP 200 OK Content-Type: application/json
Review the features permissions for synthetic keys
We strongly recommend reviewing the Permissions - Features permissions to understand which other APIs the x-synthetic-key can access.
Last updated