API keys

You use API keys to enable an inbound machine-to-machine integration for an external client. API keys can be used by the OSLC and REST APIs and also can be used as part of the Manage integration framework.

In a machine-to-machine integration, an external machine interacts with Manage data in the Manage system without the use of a browser. API keys are a native form of authentication that do not require an external repository for password storage.

By default, all API keys are encrypted at storage. This setting is controlled by the mxe.secureapikey property.

Adding API keys for REST APIs

When an API key is assigned to the external client, the external client can access and interact with data in the Manage system by using the API key as an apikey query parameter or an apikey request header in REST API calls. REST API calls that use an API key do not create a persistent server connection, and the API key must be part of all REST API requests that the external client makes.

For more information and to use an API key, on the API Keys subtab of the Integration tab of the Administration Work Center, from the Action menu, select API documentation. Select Authorize to use your API key.

Using external systems to create API keys

You can use an external system to create the API key and provide the API key value to the integration framework. Create this type of API key by using the MXAPIAPIKEY REST API and providing your generated API key by using the "apikey" json property, as shown in the following code:
POST /oslc/os/mxapiapikey
 "apikey":"<outside generated apikey>",

Security access

As the system administrator, you must synchronize Manage users for the external clients before API keys are created for those clients. The permissions that are associated with the API key are determined by the permissions for the associated user. You can create and configure API keys on the API Keys subtab of the Integration tab of the Administration Work Center.

You also can specify security that enables only the logged-in user to create an API key. To limit the creation of API keys to the logged-in user, go to the System Properties application and filter for the mxe.apikeyforloggedinuser property. In the Global Value field, specify 1 and save the record. Select Live Refresh to apply the value immediately.

To disable access to the Manage system for an external client, you can delete the associated API key, but the external client might still access the Manage system by using another configured authentication system. If an API key is compromised, delete the key and create another key for that user.