Consultation on API Key Handling
Posted: Thursday, 08 August 2024
ACSP/Surveys
ARIN is seeking feedback from the community on a potential improvement to increase the security for Application Programming Interface (API) key handling, specifically allowing the option to pass API keys in the header of a Restful Payload, and to use IP address range bounding to limit the validity of an API key. The benefit of this potential improvement is that it would give users options to make their API keys more secure and bring ARIN in line with best practices for API key handling.
ARIN’s RESTful Provisioning system leverages modern application interfaces and provides even stronger authentication. RESTful calls require the use of an API key. Since the development of these systems, best practices have evolved to make them more secure. When the API key is included in the payload, it is encrypted which increases the security of these programmatic transactions with ARIN systems. The current system relies on the security of the connection between the networks that transport these plain text API keys. How urgent is the need for ARIN to bring its API key handling in line with the current best practices?
By adding functionality to allow the API keys to be shared as a header parameter, ARIN would create an option for customers who prefer to encrypt their API keys. By further allowing customers to set IP address boundaries for an API key’s usage, they can better control how their API keys are used.
We are seeking community input on the priority for updating the methods for the handling of API keys in ARIN’s RESTful provisioning system.
Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at https://lists.arin.net/mailman/listinfo/arin-consult.
This consultation will remain open until 5:00 PM ET on 23 August. ARIN seeks clear direction through community input, so your feedback is important.
Thank you for your continued support to improve ARIN’s services.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
Recent Announcements
- Sponsorship Opportunities Available for 2025 ARIN Public Policy and Members Meetings
- Reminder - ARIN Will Only Support TLS 1.2 and TLS 1.3 Cryptographic Features Across All ARIN Services As of 3 February 2025
- Consultation on Reg-RWS Improvements
- NOW CLOSED – Consultation on Reg-RWS Improvements
- ARIN Will Retire the Use of FTP on 31 March 2025
- IPv4 Waiting List Distribution
- UPDATE - Consultation on Reallocation Control Features
- Reclassification of Inactive General Members Completed 18 November 2024
- ARIN 54 Meeting Report Now Available
- 2024 ARIN Election Results
- » View Archive