- Blog post • 3 min read
Deprecating Service Tokens and API Keys
- Published on
- Authors
- Name
- Tony Dang
- @dangtony98
TLDR: Infisical is deprecating the Service Token and API Key authentication methods in favor of identities. If you’ve been using these methods, then you should plan to switch your clients to use identities by July 30th, 2024.
Historically, Infisical supported two token-based authentication methods for clients to access the API: Service Token, a project-scoped token with path-based, read/write access restrictions; and API Key, a token with access control policies tied to the user who created it.
While both authentication methods served their use-cases well, they also had many shortcomings such as the need to use both authentication methods or multiple instances of one to achieve a particular workflow for organizations. Seeing room for improvement, the team reimagined how authentication with the API should work and released the concept of identities in December 2023.
With that, we’re now formally announcing the deprecation of the Service Token and API Key authentication methods with the intention of moving all programmatic access use-cases with Infisical to identities.
What is an identity?
Put simply, an identity as an entity that you can create in an Infisical organization to represent a workload or application that requires access to the Infisical API. The identity is configurable with an authentication credential key pair, which we refer to as Universal Authentication, that can be used to authenticate with the API. Conceptually, this is similar to that of an IAM user in AWS or a service account in GCP.
With identities, you can perform all the operations that service tokens and API keys could but with more expansive security controls all packed into one. Amongst a myriad of improvements, identities come with a role-based permission system, IP allowlist capabilities, and short-lived access token properties. With identities, you no longer need to deal with two different authentication mechanisms or multiple instances of each mechanism just to access the Infisical API.
For more information on identities, check out the fuller blog for it here as well as its documentation.
How can I use identities and what are the deprecation details?
If you’re new to Infisical, then you can simply get started with identities at the documentation here. That said, if you’ve been using service tokens and API keys, then you’ll have to rewire your clients to use identities. In most cases, this should be fairly straightforward and involve either replacing service tokens or API keys with the identity-bound credential set from Universal Auth or doing so and making one extra API request, redeeming the credential set for a short-lived access token, to access the Infisical API. In any case, we’ve updated all the client documentation to use identities including the CLI, Kubernetes Operator, etc.
In terms of the deprecation timeline, there are two critical dates to keep in mind:
- 07/30/2024: On this date, we will no longer allow the creation of both API Keys and Service Tokens on the platform; any existing tokens created prior to the date, however, will remain usable until 07/30/2025.
- 07/30/2025: On this date, we will fully halt support for using API Keys and Service Tokens to authenticate with the Infisical API. Any requests made with these tokens will be rejected.
Reminders for these dates will be sent out on a monthly basis and one week prior to them.
As always, if you have any questions, you can get in touch at the Slack community here or via dedicated channels if on enterprise.
Toward a better future!
