Given many of you have been using Kinetic, libraries, functions and api-keys for some time, I thought I would ask what lessons or best practices you may have specifically with api-keys. I’ve read some great stuff related to vaulting the keys (thanks Mark), but I’ve not seen anything related to how many keys and how each key may be configured. I realize the more keys in play, the more complex the system becomes, but curious of those that went with only one key or others that went with many keys, what they think today after having been using them for some time.
When I think of API keys, I think of a system that lets me to modify security context at a finer level and quickly.
For example, if I am granting external access to a customer or supplier, I would use one key for each. Then, if I move to a new supplier or the supplier has a security incident, I can expire the one key and not all my suppliers. The same would be true for 3rd party consultants.
For internal resources, I would also want one per security context so you can restrict certain Functions, Methods, etc. to fewer users.
The importance of the vault is that it give you the ability to roll the keys quickly when needed. Nobody wants to pull up source control to change keys!