When JFrog introduced API Keys in Artifactory 4.4.3, the API Keys provided users with a solution to easily create a secret. This key could then be used instead of a password with Artifactory's REST APIs or through clients such as the JFrog CLI and package managers. However, this proved to be less secure, in part because users tended to re-use the same password for multiple applications, API Keys can be retrieved from a database, and API Keys don’t have lifecycle management features and never expire.
JFrog’s Identity Token, is an Access Token that is scoped (targeted) to a specific user’s permissions (their identity). Using an Identity Token is key to accessing the other types of tokens. Because JFrog’s Access tokens are standard JWTs, as such they can be quite long - so JFrog introduced the Reference Token, which is simply a short string of characters that refers to an actual token.
Unlike API Keys, Identity Tokens and Reference Tokens are a more secure way to manage user authentication because they inherit the security features of Access Tokens.
Compared with API keys, identity reference tokens have the following advantages:
Reference tokens are not retrievable - identity tokens are stored as hashed, so they are not retrievable from the UI, REST API, or database, making them less likely to be compromised.
Reference tokens can have a default expiry - the Artifactory administrator can set a default expiry for Reference Tokens. They can also control the default expiry time and decide whether a token will be refreshable or not.
A user can have multiple identity tokens - unlike API Keys, a user can create numerous identity tokens.
Identity tokens information can be viewed and the token can be revoked via the JFrog Platform UI - both for the user and the administrators.
Identity Tokens can be used in multiple ways: as bearer tokens ( “
curl -H Authorization: Bearer <token>
”), and in Artifactory endpoints, reference tokens can be used similarly to API Keys, using the “X-JFrog-Art-Api
” Header, or as basic credentials (“curl -u User1:<reference token>
”).Reference tokens are short (64 characters) - unlike JWT Tokens, reference tokens can be used with clients that do not support long tokens or passwords.