As an ISO 27001-certified organisation, routinely refreshing and rotating API Keys is part of the best security practices to support operation control frameworks, such as SOC 2, HIPAA, or ISO 27001.
To manage this process smoothly and minimise business disruption for users and customers that are actively using the SEDNA API, directly or by way of a partner, we have a typical API Key Refresh rollout plan that is deployed.
- Notification of API Key Refresh - 10 working days' notification before we start our API Key Refresh rollout timeline by sharing your new API Key. We will also notify all third-party platforms and technology partners as well so they are aware that your API Key will be refreshed
- Issuing of new API Key - after 10 working days notification period, we will issue you with your new API Key securely via NoteShred, which will expire after 7 days. If you are unable to transition to the new API Key within 7 days then you can request for us to reshare your new API Key
- New API Key transition period - From the date of receiving your new API Key, you will have a 14-day transition period to set up and complete your transition to the new API Key. Once the new API Key setup is completed, please be sure to share your new API Key with your third-party platforms and integrations that use the SEDNA Platform API so they can make
- Retire previous API Key - your previous API Key will be deprecated as soon as the New API Key transition period ends
If for some reason you do not update the API Key by the set deadline, any existing tools or integrations that rely on a connection to our platform API will fail (returning a 401 unauthorized response) when we revoke the existing API Key.
FAQ
How will you share my new API key with me?
You will receive a NoteShred message which will allow you to securely access your new API Key. You will have 14 days to update any existing integrations to use the new API Key before the deprecation of your Old API Key. As NoteShred has an expiry of 7 days, and therefore we may be required to re-send the API Key if you do not action this change within the first 7 days of receiving your new API Key.
I use partner integrations as well, do I need to take action to update their API keys?
SEDNA partners have been notified of this upcoming change. If you are using partner integrations set up with an existing SEDNA API Key, we recommend sharing the new API Key with your partner so they can make the required changes before the deprecation of your Old Key at the end of the transition period.
Should I expect this process to happen again in the future? If so, when?
We do not currently have plans to complete a regularly scheduled API key refresh. As part of our efforts to continually look for ways to enhance data security, this is an initiative we may consider in the future. If you require an updated API Key for your purposes, please reach out to our SEDNA team who will be able to support you with this request.
I updated my API Key after the deadline and some of my API calls failed. Can I do anything to retrieve any data that may have been lost due to the failed API calls?
You will be able to re-send any failed API calls with the new API key to ensure all data is correctly surfacing in SEDNA.
Who within my organization is most likely to know what an API Key is and what this change requires (i.e. who should I loop into this message for action)?
Your IT administrator or application support team will be able to advise.
How often are you going to refresh my API keys?
We do not currently have plans to complete a regularly scheduled API key refresh. As part of our efforts to continually look for ways to enhance data security, this is an initiative we may consider in the future. If you require an updated API Key for your purposes, please reach out to our SEDNA team who will be able to support you with this request.
What happens if I don’t update these API keys?
If you do not update your integrations to use the new API Key within the transition period, any API requests using the previous API Key will fail, returning a 401 Unauthorized response.
Comments
0 comments
Please sign in to leave a comment.