JFrog’s Legacy of API Keys

PLATFORM: API Key deprecation and the new Reference Tokens

AuthorFullName__c
David Livshin
articleNumber
000005407
ft:sourceType
Salesforce
FirstPublishedDate
2022-09-15T08:12:30Z
lastModifiedDate
2023-03-29
VersionNumber
8
When JFrog introduced API Keys way back with JFrog Artifactory 4.4.3, the keys provided users with a practical solution to easily create a secret. This key could then be used instead of their password with JFrog Artifactory's REST API or through clients such as the JFrog CLI and package managers.

The reasoning behind the use of API Keys was based on security concerns: because users tended to re-use the same password for multiple applications, using application-specific credentials (credentials that would only work with JFrog products) was safer. This also worked for users who did not want to share their passwords with JFrog at all - for example when using SAML/OAuth for UI authentication.

However, despite their advantages, there are several security and usability constraints that API Keys do not cover. For that reason (and others) JFrog made the decision to deprecate the usage of API Keys and to introduce a new authentication mechanism - Reference Tokens.