So why did JFrog deprecate API Keys?

PLATFORM: API Key deprecation and the new Reference Tokens

AuthorFullName__c
David Livshin
Best_Article_1__c
https://jfrog.com/confluence/display/JFROG/Artifactory+REST+API <recomsep> Artifactory Rest Api
Best_Article_2__c
https://jfrog.com/confluence/display/JFROG/Artifactory+Release+Notes <recomsep> Artifactory Release Notes
Best_Article_3__c
https://jfrog.com/confluence/display/JFROG/User+Profile <recomsep> User Profile
Best_Article_4__c
https://jfrog.com/confluence/display/JFROG/Access+Tokens <recomsep> Access Tokens
Best_Article_5__c
https://jfrog.com/confluence/display/JFROG/Deprecations <recomsep> Deprecations
articleNumber
000005407
ft:sourceType
Salesforce
FirstPublishedDate
2022-09-15T08:12:30Z
lastModifiedDate
2023-08-14T07:47:52Z
VersionNumber
7
Although they’re easy to create and use, API Keys have some characteristics that make them less secure:
  • API Keys are retrievable - the keys are saved in the database and can be retrieved via REST API or the UI.
  • API Keys don’t have lifecycle management features - since API Keys are not created with an expiry date, and, by default, never expire, the user or Artifactory admin must manually revoke them. A single user can have a single active API Key at any moment - which means a single key needs to be shared with multiple clients. If it is revoked, it is revoked for all clients.  
  • API Keys are not manageable - administrators can not monitor or manage a user’s API Keys.