Api Key Management Best Practice

Using API Keys, customers can access Pluralsight data for their plan. API Keys are sensitive passwords and must be secured. Data security may be compromised if appropriate measures are not taken to maintain security of the keys.

This article defines appropriate ways for accessing and handling PaaS API Keys to maximize the security and integrity of your data.

PaaS API Key Lifecycle

API Keys remain active for 1 year

  • When an API Key is 11 months old, we will send an email notifying the technical contact(s) that the API Key will expire in 30 days.
  • When an API Key is 1 year old, we change it's status from ACTIVE to EXPIRED. We also send an email notifiying the technical contact(s) that the API Key has expired.
  • If an API Key is EXPIRED and has not been used for 90 days post-expiration, we will delete it.

How to "Rotate" an API Key

  • Create a new API Key on the Manage Keys page.
  • Update any integrations you have built with the new API Key.
    • Be sure to include any build pipelines, .env files, etc.
  • Ensure all of your integrations work as expected with the new API Key.
  • Delete the old EXPIRED API Key.

What does the status of an API Key mean?

  • ACTIVE means that the API Key is current and can be used for all operations without warning.
  • EXPIRED means that the API Key was created at least 1 year ago.
    • EXPIRED API Keys will continue to work as they did when ACTIVE; the only difference is that you will now see a warning in your response stating that the API Key has expired.
  • DELETED API Keys will no longer work. An error will be thrown if a deleted API Key tries to pull data.

Best Practices for using API keys

  • Use the Manage Keys page in the Pluralsight developer portal to access the API key. Avoid storing keys in unsecure applications.

  • Check the “Last used” column in the Manage Keys page and delete keys that aren't being used regularly (recommend duration ~90 days of inactivity).

  • Rotate keys on a regular basis (recommend duration annually).

  • Do not share API keys with others within your organization using unsecure means; such as, emails and messaging services. Use encrypted password managers to share the API key.

  • You do not need to share your API key with Pluralsight teams when you are reporting an issue.

  • If you suspect that an API key may be compromised, delete the API key in the Manage Keys page and generate a new one.

  • Configure keys using “Least Privilege” principles; for example, do not enable WRITE privileges for a key if it is not needed for a specific use case.

  • Create a new API Key for each use case; for example, if you use your current API key for reporting analytics, generate a new API key for "Workday connector". Avoid sharing API Key between different applications or reporting integrations.