Unlike API Keys, Reference Tokens are a more secure way to manage user authentication because they “inherit” the security features of Access Tokens.
Here are some additional advantages of the new Reference Tokens:
Here are some additional advantages of the new Reference Tokens:
- Reference Tokens are not retrievable - Reference Tokens are stored as hashed, so they are not retrievable from the UI, REST API, or database, making them less likely to be compromised.
- Reference Tokens can have a default expiry - the Artifactory administrator can set a default expiry for Reference Tokens. They can also control the default expiry time and decide whether a token will be refreshable or not.
- A user can have multiple Reference Tokens - unlike API Keys, a user can create numerous Reference Tokens
- Reference tokens information can be viewed and the token can be revoked via the JFrog Platform UI - both for the user and the administrators.
- Reference Tokens can be used in multiple ways - Reference Tokens can be used similarly to API Keys, with the “X-JFrog-Art-Api” Header, but also as Basic credentials with “curl -u User1:<reference token>” or as bearer tokens “curl -H Authorization: Bearer <token>”.
- Reference Tokens are short (64 characters) - unlike Identity Tokens, Reference Tokens can be used with clients that don’t support long tokens/passwords
For more information and deprecation timeline and help with migration see here .