API Configuration
Manage and control access to LoginRadius APIs by configuring your API Key, Secret, and additional secret sets. This helps ensure secure usage across various environments and use cases.
Overview
LoginRadius provides a flexible API credentials system that includes the following:
- Primary API Key and Secret for full access
- Additional API Secrets for limited, scoped access
- SOTT (Secure One-Time Token) for mobile or short-lived secure access
With this system, you have full control over the configuration, sharing, and rotation of secrets, ensuring a secure environment across different team members, services, or environments.
Use Cases
- Secure Third-Party Access: Use additional API secrets to limit vendor's or other internal service's access to specific APIs.
- Least-Privilege Access: Assign specific permissions (e.g., read-only for analytics, full access for CI/CD).
- Mobile App Authentication: Use SOTT to grant temporary access to mobile applications.
Configuration Options
API Account Key
Your default key and secret pair for accessing all LoginRadius APIs.
- Navigate to API Configuration > API Account Key under the tenant configuration settings.
- Copy the API Key directly.
- Click the eye icon to reveal the API Secret.
- Click Refresh to regenerate a new one.
Important: Do not share this API Secret publicly. It holds full control and can lead to unauthorized access.
Additional API Secret(s)
Additional API Secrets are the secrets that can be generated to replace the Primary Secret for specific actions based on their permissions.
Therefore, when multiple people need access to the site, you can provide each team member with their own secrets. You will then be able to revoke this if required.
Note: You can create up to 10 additional API secrets with limited permissions.
Add an API Secret:
- Go to API Configuration > Additional API Secret(s).
- Click + Add API Secret button.
- Optionally, enter a secret name and select the APIs to grant access to certain aspects of your site like Analytics, Cloud Directory, Customer Identity, SSO Federation, etc.
- Click Create Secret.
💡 If no name is provided, a random one is generated.
Manage API Secrets:
- View, revoke, or regenerate specific secrets.
- Click the eye icon to reveal a secret.
- Use the action menu to delete. Confirm the deletion by clicking Confirm.
SOTT (Mobile App)
SOTT (Secure One-Time Token) is used to authorize access to mobile apps.
Generate SOTT:
- Navigate to API Configuration > SOTT (Mobile App).
- Click + New SOTT.
- Select the technology (e.g., iOS, Android).
- Set the date range for validity.
- Add comments (optional).
- Choose whether to Encode SOTT, then click Generate.
Tokens can be revoked individually or bulk using the Revoke All button.
Best Practices
- Rotate Secrets Regularly: Periodically regenerate your API secrets.
- Use Additional Secrets for Scoped Access: Always follow the principle of least privilege.
- Avoid Hardcoding Secrets: Use secure environment variables or secrets managers.
- Monitor and Revoke: Regularly audit and revoke unused or compromised API secrets.
- Use SOTT for Temporary Access: This is especially recommended for mobile clients or short-lived authentication scenarios.