Audit and/or Disable User API Tokens

kevin.murphy · August 17, 2023, 1:47pm

Is there a way to audit and/or disable user API tokens?
For example, we need to prevent long-lived user API tokens; We need to ensure API tokens expire before 90-days.

xenda.amici · August 21, 2023, 11:06am

Hey Kevin @kevin.murphy,

You can try registering a private app with a Scoped OAuth functionality. And then fetch user tokens with only audit.read scope. This scoped token can then be used to access the audit API

Hope that helps answer the question!

Was this helpful?

YES
NO

0 voters

kevin.murphy · August 21, 2023, 12:23pm

Thanks - Looks like user tokens may not be available yet…
https://developer.pagerduty.com/docs/ZG9jOjExMDI5NTY2-audit-records-api#resources-tracked

nakul.bhagat · August 22, 2023, 9:53pm

Hey @kevin.murphy, can you please help me understand your use case and share some more context? I am not sure I understand when you mentioned user tokens are not available yet? Do you mean User API keys by user tokens? We do have a way to disable User API token creation for your PD subdomain if that’s what you are looking for. Happy to also jump on a call with you if you can share your details. Thanks!

kevin.murphy · August 22, 2023, 11:34pm

Hi @nakul.bhagat - We have a requirement to rotate access keys every 90-days. So, I’m looking to audit the “API Access Keys” for all users. If any keys were created more than 90-days ago, delete/revoke them.

nakul.bhagat · September 4, 2023, 3:55pm

Hey @kevin.murphy, unfortunately there is no API available to audit the API Keys. There is a manual and tedious process I can think of where, if your are admin/owner, you can go to each of the users page and go to the User API Keys page, where you will find the data rendered in the table giving you details on when the User API Key was created and when was it last used.

I would recommend you to look at using the Scoped OAuth User Tokens, where they expire in 24 hours automatically. And on top of that you do get the ability to even revoke all the tokens, if and when needed. And in unforeseen circumstances even delete the Scoped OAuth client and recreate a new one within the App that you’d created/registered. You can find more details here.

Was this helpful?

YES
NO

0 voters

kevin.murphy · September 4, 2023, 3:55pm

Thanks @nakul.bhagat. OAuth is what I have switched to. I’ll just update our internal docs to not use API Keys.