JFrog API Key Deprecation Process

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

Why is JFrog Deprecating API Keys?

JFrog introduced API Keys way back with JFrog Artifactory 4.4.3, providing users with a practical solution to easily create a secret, which could then be used to authenticate with JFrog Artifactory over REST or through clients (such as the JFrog CLI and various package manager clients). Although they’re easy to create and use, API Keys have some characteristics that make them less secure:

  • API Keys are retrievable – the keys are saved in the database and can be retrieved via REST API or the UI.

  • API Keys don’t have lifecycle management features – since API Keys are not created with an expiry date, and, by default, never expire, the user or Artifactory admin must manually revoke them. A single user can have a single active API Key at any moment – which means a single key needs to be shared with multiple clients. If it is revoked, it is revoked for all clients.  

  • API Keys are not manageable – administrators can not monitor or manage a user’s API Keys.

As a result, JFrog decided to begin the process of deprecating the API Keys.