Why should I use Reference Tokens?

PLATFORM: API Key deprecation and the new Reference Tokens

AuthorFullName__c
David Livshin
articleNumber
000005407
ft:sourceType
Salesforce
FirstPublishedDate
2022-09-15T08:12:30Z
lastModifiedDate
2023-03-29
VersionNumber
8
Unlike API Keys, Reference Tokens are a more secure way to manage user authentication because they “inherit” the security features of Access Tokens.

Here are some additional advantages of the new Reference Tokens:
  • Reference Tokens are not retrievable - Reference Tokens are stored as hashed, so they are not retrievable from the UI, REST API, or database, making them less likely to be compromised. 
  • Reference Tokens can have a default expiry - the Artifactory administrator can set a default expiry for Reference Tokens. They can also control the default expiry time and decide whether a token will be refreshable or not.
  • A user can have multiple Reference Tokens - unlike API Keys, a user can create numerous Reference Tokens
  • Reference tokens information can be viewed and the token can be revoked via the JFrog Platform UI - both for the user and the administrators.
  • Reference Tokens can be used in multiple ways - Reference Tokens can be used similarly to API Keys, with the “X-JFrog-Art-Api” Header, but also as Basic credentials with “curl -u User1:<reference token>” or as bearer tokens “curl -H Authorization: Bearer <token>”.
  • Reference Tokens are short (64 characters) - unlike Identity Tokens, Reference Tokens can be used with clients that don’t support long tokens/passwords

 For more information and deprecation timeline and help with migration see here .