Setting up API users for programmatic access

A tenant administrator creates the API users. An API user contains the API key, which includes a set of the access key and the secret key. The access key and the secret key are similar to the user name and the password that are required for programmatic access to the system. Unlike the user-level API keys, a tenant administrator can create multiple tenant-level API keys (by creating multiple API users).

The access key is of 30 characters in length (for example, H8CM6529J8NGP6CV9PE791W8MFX11K), and the secret key is of 50 characters in length (for example, OJ93lwJSvKArieIUb62VZU87xSqocTmqb1gjskqCEt4VZF4FD7). Both the access key and the secret key are generated randomly during the creation of a tenant-level API user or a user-level API key. 

To understand the concept of the API users, see User access.


To create an API user

  1. Navigate to the User access > Users page. 
  2. Under the API Users tab, click Add API user.
  3. Provide a name, an optional description, and select the expiry for the access key and secret key. 
    The user name provided in this step is only a logical representation that is used for easy identification purposes on the UI. This user name cannot be used to authenticate into the system. 
  4. (Optional) If you want to deactivate the access key and the secret key and reactivate it at a later time, disable the API key setting in the panel displayed.

    The tenant ID is displayed next to the API key setting. You can copy it, if required. 

  5. Copy the access key and the secret key. 

    Can I copy the secret key later?

    No. The secret key is available for copying only when it is generated for the first time. Afterwards, it is saved in an encrypted form using the OpenBSD Bcrypt scheme. This encryption is irreversible.

    If you do not copy the secret key when it is generated or if you lose it, you must generate a new one.


  6. Change the key expiry, if required. Otherwise, leave it unchanged.

    You can set a custom value or set it to never expire. Although you can set the key to never expire, for enhanced security purposes, we recommend that you set a definite key expiry date. After the key expires, you can extend the date by editing the API user.


  7. (Optional) Do one of the following to give appropriate permissions to the API user:

    • If you have user groups that are associated with roles containing appropriate permissions, assign user groups.

    • If you have roles with appropriate permissions, assign roles.

    User groups or roles cannot be assigned by editing the API user. If you do not assign user groups or roles in this step, you can assign permissions to the API user by creating or editing a role and assigning the API user to that role. 

  8. Close the window. 

To view and edit user groups and roles assigned to an API user

To be able to view and edit user group and roles assignments, you need list and read permissions.

  1. Navigate to the User access > Users page, and click the API users tab.
  2. From the user's Actions menu, select User options.

  3. (Optional) Change the user group and role assignments. 
    While making changes, you can either provide a custom value for the key expiry or you can set it to never expire.

To view permissions assigned to an API user

  1. Navigate to the User access > Users page, and click the API users tab.
  2. From the user's Actions menu, select View permissions.

As a user, if you do not have permissions to see the list of users on the console, you can view your own permissions by viewing your profile.

To delete an API user

  1. Navigate to the User access > Users page, and click the API users tab.
  2. From the Actions menu of a user, select Delete and click Yes.

    Can I delete multiple API users together?

    No. Bulk deletion of API users is not supported.


Was this page helpful? Yes No Submitting... Thank you

Comments