API Keys
Introduction
The Tarsal API uses JSON web tokens (JWT). It authenticates request tokens and responds with access tokens.
JWTs are objects for secure, stateless communication between Tarsal and your API integration (client application). Authentication request tokens contain information from your Tarsal account and are signed with a shared secret. Access tokens are reusable, long-lived credentials that authorize API use without a password-based login and are issued after successful authentication.
Shared secrets and API keys are unique alphanumeric strings for application and user identity and validation. Tarsal automatically generates a shared secret upon account creation. API keys, or application secrets, are generated on demand and specific to each integration.
The following JWT configuration variables and portal values comprise the data for an API authentication request token:
JWT Configuration Variable | Tarsal Portal Value | Portal Location |
---|---|---|
CUSTOMER_ID | The identifier for the account | Account > Settings > General > Organization > Customer ID |
SHARED_SECRET | The private key for the account | Account > Settings > API Keys > API Shared Secret |
APPKEY | The generated API key for the API integration | Account > Settings > API Keys > Add API Key > Application Secret |
APPNAME | The name of the API integration | Account > Settings > API Keys > Add API Key or Edit API Key > Application Name |
See API Keys Overview for more information.
The Tarsal portal provides key management and JWT values at https://app.tarsal.cloud/settings/api-keys, including:
- Shared secret management
- API key management
For security, API key values are visible in the portal when created or regenerated; they aren’t retrievable after display. The shared secret, however, is always viewable, and unlike API keys, it is not removable.
Key Storage
Store the shared secret and keys securely! Tarsal can’t recover your API keys.
Overview
Tarsal API authentication includes the following steps:
- Construct a JWT payload with the required configuration variables and values.
- Encode the JWT using the payload, shared secret, and signing algorithm.
- Supply the JWT in an API authentication request.
- Send the response access token in all following API requests.
See the API Authentication Recipe for details.
Lost Keys
If your API key is lost, regenerate it and update your integration.
After regenerating the shared secret or keys, your integration will immediately stop working without sending a new access token in API requests.
Managing the Shared Secret
The following steps assume you’re an Admin
and logged in to the portal.
Viewing the Shared Secret
To view the account’s shared secret:
- Go to Account > Settings from the left navigation.
- Click the API Keys tab at the top.
- Click the API Shared Secret button on the upper right.
- In the modal window, click the clipboard icon () on the right to copy the shared secret to your clipboard. Record the value in a safe location.
- Click the Cancel button.
Request Token Value
API Shared Secret provides the value for
SHARED_SECRET
in the authentication request token.
Regenerating the Shared Secret
Before You Begin
Regenerate the shared secret as needed, but note that it immediately invalidates all your API integrations. For each integration, encode a request token with the new shared secret and request a new access token.
To regenerate the shared secret:
- Go to Account > Settings from the left navigation.
- Click the API Keys tab at the top.
- Click the API Shared Secret button on the upper right.
- In the modal window
- Click the Regenerate button.
- Click the clipboard icon () on the right to copy the shared secret to your clipboard. Record the value in a safe location.
- Click the X on the upper right to close the modal window.
Managing API Keys
The following steps assume you’re an Admin
and logged in to the portal.
Before You Begin
Record and store API keys in a safe place!
Adding an API Key
To create a new API key:
- Go to Account > Settings from the left navigation.
- Click the API Keys tab at the top.
- Click the API Shared Secret button on the upper right.
- In the modal window
- Enter an Application Name.
- Enter an optional Description.
- Select
Member
orAdmin
from the drop-down list. - Click the Save button.
- Click the clipboard icon () to the right of Application Name (appname) to copy it to your clipboard. Record the value in a safe location.
- Click the clipboard icon () to the right of Application Secret (appsecret) to copy it to your clipboard. Record the value in a safe location.
- Click the Done button.
Request Token Values
In the authentication request token, Application Name (appname) provides the value for
APPNAME
, and Application Secret (appsecret) forAPPKEY
.
Choosing an API Key Role
API keys have roles, unlike shared secrets. Select the most secure role based on your integration’s functionality. See Roles for more details.
Updating an API Key
To edit an API key’s associated information:
- Go to Account > Settings from the left navigation.
- Click the API Keys tab at the top.
- Click . . . (three dots) under the Action column for the desired key.
- In the drop-down menu, select Edit.
- In the modal window
- Update the Application Name.
- Update the optional Description.
- Update the Role in the drop-down list.
- Click the Save button.
Changing API Key Information
Your integration will stop functioning if the application name or role is updated. Send a new request token to receive a new access token.
Regenerating an API Key
New API keys for existing integrations are sometimes necessary. For example, a compromised API key requires a replacement.
Before You Begin
API key regeneration immediately invalidates your API integration. Make sure to request a new access token using the regenerated key!
To regenerate an API key:
- Go to Account > Settings from the left navigation.
- Click the API Keys tab at the top.
- Click . . . (three dots) under the Action column for the desired key.
- In the drop-down menu, select Regenerate.
- In the modal window
- Click the Regenerate button.
- Under API Key, locate Application Secret (appsecret).
- Click the clipboard icon () on the right to copy the API key (application secret) to your clipboard. Record the value in a safe location.
- Click the Done button.
The application name, description, and role remain when regenerating an API key.
Removing an API Key
Before You Begin
Deleted API keys aren’t recoverable. Before removing a key, ensure an integration doesn’t use it.
To delete an API key:
- Go to Account > Settings from the left navigation.
- Click the API Keys tab at the top.
- Click . . . (three dots) under the Action column for the desired key.
- In the drop-down menu, select Remove.
- In the modal window, click the Delete API Key button.
Updated 4 months ago