Although they’re easy to create and use, API Keys have some characteristics that make them less secure:
- API Keys are retrievable - the keys are saved in the database and can be retrieved via REST API or the UI.
- API Keys don’t have lifecycle management features - since API Keys are not created with an expiry date, and, by default, never expire, the user or Artifactory admin must manually revoke them. A single user can have a single active API Key at any moment - which means a single key needs to be shared with multiple clients. If it is revoked, it is revoked for all clients.
- API Keys are not manageable - administrators can not monitor or manage a user’s API Keys.