Comparing Identity Tokens and Reference Tokens with API Keys

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

When JFrog introduced API Keys in Artifactory 4.4.3, the API Keys provided users with a solution to easily create a secret. This key could then be used instead of a password with Artifactory's REST APIs or through clients such as the JFrog CLI and package managers. However, this proved to be less secure, in part because users tended to re-use the same password for multiple applications, API Keys can be retrieved from a database, and API Keys don’t have lifecycle management features and never expire.

JFrog’s Identity Token, is an Access Token that is scoped (targeted) to a specific user’s permissions (their identity). Using an Identity Token is key to accessing the other types of tokens. Because JFrog’s Access tokens are standard JWTs, as such they can be quite long - so JFrog introduced the Reference Token, which is simply a short string of characters that refers to an actual token.

Unlike API Keys, Identity Tokens and Reference Tokens are a more secure way to manage user authentication because they inherit the security features of Access Tokens.