-
Improvement
-
Resolution: Fixed
-
Neutral
-
None
-
None
-
None
-
-
Empty show more show less
-
Yes
-
Yes
-
Declarative REST 14, Declarative REST 15
-
3
As a developer, I want to use values stored in the Password Manager in my REST calls, so that I can connect to APIs but not expose my API keys or secrets.
Acceptance criteria
- I can use values from the password manager
- In a header, parameter, path or body of REST call
Context
Many API's expect a text API key (sometimes called a secret or an API token) to be provided somewhere in the REST call.
For example:
http://api.openweathermap.org/data/2.5/forecast?q=London,us&APPID=11c86e6e92231833a10604185a855418
Notes
While working on the DRC presentation, i had configured api tokens in the rest call's headers - this might be a security issue for some users.
I suggest to add an improvement, that would use password manager to hide the sensitive information. We could use a placeholder with password: prefix to denote that the value should be read from password manager and replaced with the password.
Example:
baseUrl: https://example.com
restCalls:
foo:
headers:
api_key: {@password:<UUID>}
- is depended upon by
-
MGNLRESTCL-114 Removing redundancy from configuration of security schemes
- Closed
- supersedes
-
MGNLRESTCL-89 Securely store API key
- Closed