With the release of version 18, Poly introduces significant enhancements to API key management. These improvements include an expiry attribute for API keys, which can be set to a specific duration (in days) or never to expire, as well as the ability to rotate keys to generate new ones. Currently available through an API-first approach, these features will be accessible via the UI starting with release 19.
Key Benefits
These advancements are crucial for addressing several use cases:
- Temporary Access Management: Administrators can assign expiration dates to API keys issued to temporary users, contractors, or other short-term collaborators, eliminating the need for manual cleanup.
- Enhanced Security: Setting expiration dates minimizes the risk of compromised keys being silently exploited over long periods, reducing the potential for unauthorized access to customer data.
- Periodic MFA Enforcement: By requiring users to periodically complete Multi-Factor Authentication (MFA) to retain access to API keys, we mitigate risks of attackers exploiting compromised keys.
- Compliance Alignment: Organizations can adhere to regulatory and internal compliance standards by implementing strict expiration and rotation policies.
How It Works
When creating an API key, administrators now have the option to:
- Set Expiration Dates: Choose a specific period or opt for never-expired keys.
- Enable Post-Expiry Rotation: Users can rotate expired keys within a configurable window, currently set to 7 days by default.
- Enforce MFA for Rotation: Users must complete an OTP flow to generate a new key upon rotation if MFA is enabled for a tenant or environment.
We recommend using application keys for deployments involving server functions to avoid unintended expirations and ensure uninterrupted operations.
Our Vision for Enhanced User Security
While API key-based authentication remains the default for Poly, we are actively working towards integrating Single Sign-On (SSO) support. This will encompass the Poly Management UI and our VS Code extension, allowing seamless authentication via SSO providers. Authorization permissions will continue to be managed within Poly, supporting both Poly’s core platform and applications built using Canopy.
This approach enhances user convenience while maintaining robust security, aligning with our commitment to delivering enterprise-grade solutions.
Learn More
Want to explore these features further?
- Sign up for free to experience Poly firsthand.
- Have questions about our roadmap or platform? We’d love to hear from you! Reach out at hello@polyapi.io or fill out our contact form.
Stay tuned for future updates as we continue to innovate and refine our platform to meet your evolving needs.