Api Key Management Best Practice

Using API Keys, customers can access Pluralsight data for their plan. API Keys are sensitive passwords and must be secured. Data security may be compromised if appropriate measures are not taken to maintain security of the keys.

This article defines appropriate ways for accessing and handling PaaS API Keys to maximize the security and integrity of your data.

Below are recommended best practices for using API keys:

  • Use the Manage Keys page in the Pluralsight developer portal to access the API key. Avoid storing keys in unsecure applications.

  • Check the “Last used” column in the Manage Keys page and delete keys that aren't being used regularly (recommend duration ~90 days of inactivity).

  • Consider rotating keys on a regular basis (recommend duration annually).

  • Do not share API keys with others within your organization using unsecure means; such as, emails and messaging services. Use encrypted password managers to share the API key.

  • You do not need to share your API key with Pluralsight teams when you are reporting an issue.

  • If you suspect that an API key may be compromised, delete the API key in the Manage Keys page and generate a new one.

  • Configure keys using “Least Privilege” principles; for example, do not enable write privileges for a key if it is not needed for a specific use case.

  • Create a new API Key for each use case; for example, if you use your current API key for reporting analytics, generate a new API key for "Workday connector". Avoid sharing API Key between different applications or reporting integrations.