With the release of Artifactory 7.47.10, JFrog introduced a new method that supports Platform administrators with the deprecation process of the API Key feature.
With this new process, admins can identify Platform users who still use API Keys for their authentication, thus helping to migrate those users to alternative means of authentication.
JFrog is officially beginning the countdown to fully discontinuing its support for this feature.
Why is JFrog Deprecating API Keys?
JFrog introduced API Keys way back with JFrog Artifactory 4.4.3, providing users with a practical solution to easily create a secret, which could then be used to authenticate with JFrog Artifactory over REST or through clients (such as the JFrog CLI and various package manager clients). Although they’re easy to create and use, API Keys have some characteristics that make them less secure:
API Keys are retrievable – the keys are saved in the database and can be retrieved via REST API or the UI.
API Keys don’t have lifecycle management features – since API Keys are not created with an expiry date, and, by default, never expire, the user or Artifactory admin must manually revoke them. A single user can have a single active API Key at any moment – which means a single key needs to be shared with multiple clients. If it is revoked, it is revoked for all clients.
API Keys are not manageable – administrators can not monitor or manage a user’s API Keys.
As a result, JFrog decided to begin the process of deprecating the API Keys.
As announced in the Artifactory 7.38.4 release notes, the API Key will be deprecated in the following stages.
Self-hosted Artifactory version 7.47.10 includes the option to log users' authentication methods. This allows administrators to view and warn users using API Keys regarding the upcoming deprecation. See API Key User Collection for Self-Hosted Customers.
Cloud Artifactory version 7.63.5 includes the option to view and download the list of users using API Keys regarding the upcoming deprecation. See API Key User Collection for Cloud Customers.
By the end of Q3, 2024, you will not be able to create new API keys through UI or API.
By the end of Q4 2024, we will no longer support API keys.