API Access Token updates
We've made a number of improvements to API Access Token security, management, and visibility for corp Owners.
Security:
- Corp Owners can set an expiration TTL that applies to all tokens. The expiration countdown is based on the token's creation timestamp.
- Corp Owners can create a list of IP or ranges that all tokens needs to be used from (i.e., a corporate network) otherwise API access will result in a 400-error
- Corp Owners can restrict token usage on a user-by-user basis. See below.
- These restrictions can be enabled or disabled from the Corp Manage > User Authentication page
Restrictions by user:
- When per-user restrictions are enabled, globally users cannot create or use tokens unless they are given explicit permission by the corp Owner
- IMPORTANT: If users have existing tokens when this feature is enabled, these existing tokens will be disabled (not deleted) until permissions are given to their owners and then they will resume working. Users just need permission once.
- Permission is granted to users from the Corp Manage > Corp Users > Edit User page
Visibility and management:
- Corp Owners can see all the tokens created and in use across the corp from the brand new Corp Manage > API Access Tokens page
- Corp Owners can view info about the tokens (like creator and IP), as well as info related to the changes above, like expiration, status (Disabled by Owner, Expired, Active)
- When they turn on Restrictions by User, a corp Owner can use this page to see who needs permission and which tokens are disabled
- Corp Owners can delete access tokens
- An individual user's tokens have moved from their account settings page to the new My Profile > API Access Tokens page
Prior change: New rules conditions
Following change: New Client IP Headers setting
