fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

Make API keys more secure by adding an expiration time to them

Open mooreds opened this issue 9 months ago • 1 comments

Make API keys more secure by adding an expiration time to them

Problem

FusionAuth API keys are good forever.

Solution

Would be great to enforce security best practices by having a lifetime for an API key. This would mean that the key would no longer be valid after a certain time, settable on creation or via the Update API Key api.

Alternatives/workarounds

Enforce API key rotation outside of FusionAuth using the API Key API to delete based upon key age, or something like that.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

mooreds avatar Oct 30 '23 02:10 mooreds

Would add that we should have a process that emails admins of the FusionAuth app regarding close to expire keys - or at least expose this functionality.

jobannon avatar Oct 30 '23 19:10 jobannon