API access keys

The Tenant management's API Access tab allows admins to view and generate access keys for other users.

About access keys

Access keys provide client IDs and secret keys that can be used with Public API, OPLG requirements, Agents, and CI plugins instead of password authentication.

To view and generate access keys, in the banner, go to Settings > Tenant management > API Access.

Note: Tenants created before version 24.3 can authenticate using the username/password or OAuth authentication methods. However, tenants created for version 24.3 and higher may only authenticate with the OAuth method with a client ID and secret key. The preferred and more secure method is to always authenticate with a client ID and secret key, even for earlier versions.

Back to top

Create and revoke access keys

The API Access tab lets you create and revoke access keys.

To create a new access key:

  1. Click the Create button.

  2. In the Create access key window, select a user for which you want to create an access key.

  3. Click Create. For each access key, the following columns are displayed:

    • Client ID. The client ID issued as the access key.

    • User. A user who has been granted multiple access keys appears multiple times.

    • Email. The user's email.

    • Last Access. The date that the access key was last accessed.

  4. Copy the client ID and secret key and send it to the user.

    Caution: This is the only time you will have access to the secret key—it is only displayed once, when it is generated. When you create an access key pair, save it in a secure location. If you lose your secret key, you must delete the access key and create a new one.

  5. To return to OpenText Core Performance Engineering, click the ← Back button.

To revoke an access key:

  1. Select the user for whom you want to revoke the key.
  2. Click the Revoke button.
  3. Click Revoke. The access key is deleted from the database.

Back to top

Refresh an access key

Key owners can also refresh access keys from MyAccount.

  1. Select the client ID for which you want to refresh the secret.
  2. Click the Refresh button.
  3. Copy the secret key and send it to the user.

Back to top

Automatic expiration

For security reasons, an automatic expiration policy is enabled by default for access keys. Automatic expiration reduces the lifetime of an access key by enforcing regular changes every 90 days by default.

An account admin can activate and deactivate the auto expiration policy, and change the expiration frequency. The policy is configured at the account level in MyAccount. When automatic expiration is enabled, an email notification is sent to users that own the key, 30 days and 7 days before the key is revoked, and 1 day before the key is set to expire.

Note: As of November 1st, 2023, OpenText set a 90-day automatic expiration period for all existing access keys even if they were created before that date. For example, an access key created on October 5th, 2023 is now set to expire 90 days after November 1st, 2023. If this access key is not refreshed before that date, it will automatically expire.

To customize the expiration policy:

  1. Log in to the MyAccount login window and click the Settings button. For details, see MyAccount - My Products.

  2. Select the account you want to modify and open the Security tab. The Custom OAuth expiration policy option is enabled by default with an expiration frequency of every 90 days.

  3. In the Account configuration area, click the Edit button Edit button, and modify the expiration policy as required:

    • To change the expiration frequency, click the days dropdown, and select the time period for forcing a change. This ranges between 90 and 360 days, in 30 day increments.

    • To deactivate automatic key expiration (not recommended), clear the Custom OAuth expiration policy checkbox. Click Continue to confirm that you are aware of the increased security risks and assume full responsibility for deactivating the feature.

  4. Click OK to save the changes. All keys of all products associated with the specific account inherit these settings, and have the same life period.

  5. The OAuth client area in MyAccount displays the list of clients that were created for the logged in user. Anyone that has a client can manually refresh the key in MyAccount before it expires.

Note: The key owner has the option to keep the same client ID and refresh only the secret. For details, see Refresh an access key.

Back to top

Access key guidelines and best practices

The following guidelines and best practices apply when working with access keys:

  • A user cannot have more than two access keys at one time. This encourages you to rotate the active keys. To assign a new access key to a user with two access keys, revoke an existing one.

  • Access keys are per tenant. If the same user exists in multiple tenants, the user must have a separate access key for each tenant.

  • If your account admin chooses not to enforce an expiration policy, we still recommend rotating access keys periodically.

  • The recommended lifetime of an access key is 90 days. Using an access key for more than 12 months is considered bad security and is not recommended.

  • Do not embed access keys directly into your code.

  • Remove unused access keys.

Your organization may have different security requirements and policies than those described in this section. The suggestions provided here are intended as general guidelines.

Caution: Do not share your access keys with a third party. By doing this, you might give someone access to your account.

Back to top

See also: