Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Creating User and Account API Keys - AskJ1 Community
<main> <article class="userContent"> <p>API keys enable users to use the J1 APIs in queries and with integrations. You can enable the use of API keys for a group of users and create API keys for your organization account.</p> <h2 data-id="enable-user-level-api-key-access">Enable User-Level API Key Access</h2> <p>You must have the Administrator permission to enable API key access.</p> <p>To enable API key access for a group of users:</p> <ol><li>Go to <strong>Settings <img src="https://us.v-cdn.net/6035534/uploads/YN47W4KORSDG/gear.png" alt="" class="embedImage-img importedEmbed-img"></img> > Users & Access</strong> <img src="https://us.v-cdn.net/6035534/uploads/2IQ8EQYJNLGA/users.png" alt="users" class="embedImage-img importedEmbed-img"></img>.</li> <li>Select the group for whom you want to enable API access.</li> <li>Select <strong>API Key Management</strong>.<br> </li> </ol><p><img src="https://us.v-cdn.net/6035534/uploads/D0KZX3LGOIA5/api-key-access-group-enable1.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>An API key icon appears in the My Profile view for each user in the group that has API key access.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/F7D3EMQFCDDQ/my-profile-key.png" alt="my-profile" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="create-account-level-api-keys">Create Account-Level API Keys</h2> <p>You can manage user-level keys in the Account Management page. You must have administrator permissions to make changes to account-level API keys.</p> <p>To generate a new API key or manage existing API keys:</p> <ol><li>Log in to the account you want to manage.</li> <li>Go to <strong>Settings</strong> <img src="https://us.v-cdn.net/6035534/uploads/YN47W4KORSDG/gear.png" alt="" class="embedImage-img importedEmbed-img"></img><strong>></strong> <strong>Account Management</strong>.</li> <li>In the left panel, click the key icon.<br> <br><img src="https://us.v-cdn.net/6035534/uploads/HUEADCPT5XSR/api-key-acct-mgmt.png" alt="api_key_acct-mgmt" class="embedImage-img importedEmbed-img"></img><br> </li> <li>In the User API Keys page, click <strong>Add</strong> <img src="https://us.v-cdn.net/6035534/uploads/7KHFDQD797AA/api-keys-plus.png" alt="" class="embedImage-img importedEmbed-img"></img>.</li> <li>In the API Keys modal, enter the name of the key and the number of days before it expires, and click <strong>Create</strong>.</li> </ol><p>To revoke an API key, in the User API Keys page, go to the key you want to revoke and click the trash icon <img src="https://us.v-cdn.net/6035534/uploads/B2XSTCGQOG00/trash.png" alt="trash" class="embedImage-img importedEmbed-img"></img>.</p> <h2 data-id="api-key-permissions-policy">API Key Permissions Policy</h2> <p>You must set a permission policy in JSON for account-level API keys, similar to an IAM policy in AWS. The following is an example of a full control policy:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "permissions": [ { "effect": "ALLOW", "actions": [ "*" ], "resources": [ "*" ] } ] } </pre> <p>J1 supports the creation of * policies that permit all actions or resources:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "permissions": [ { "effect": "ALLOW", "actions": [ "*" ], "resources": [ "*" ] } ] } </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "permissions": [ { "effect": "ALLOW", "actions": [ "query:ReadGraphData" ], "resources": [ "*" ] } ] } </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "permissions": [ { "effect": "ALLOW", "actions": [ "*" ], "resources": [ "*" ] }, { "effect": "DENY", /// Deny only ReadGraphData "actions": [ "query:ReadGraphData" ], "resources": [ "*" ] } ] } </pre> <h2 data-id="create-integration-api-keys">Create Integration API Keys</h2> <p>You must have administrator permissions to be able to create keys and the selected integration must have at least one<br> configuration.</p> <p>To create API keys that you can use with your J1 integration:</p> <ol><li>Go to <strong>Settings <img src="https://us.v-cdn.net/6035534/uploads/YN47W4KORSDG/gear.png" alt="gear" class="embedImage-img importedEmbed-img"></img> > Integrations</strong>.</li> <li>Select the integration for which you want to create an API key.</li> <li>Select the configuration you want to edit.</li> <li>Scroll down to Integration API Keys and click <strong>Create</strong>.</li> <li>When prompted, click <strong>Create</strong> again to confirm your action.</li> </ol><p>The key is now available for you to use to synchronize data in this integrations.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/OMKDXITU4SWU/api-integration-create-key.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>To delete the API key at any time, click <strong>Revoke</strong>.</p> <h2 data-id="create-api-keys-using-the-graphql-api">Create API Keys Using the GraphQL API</h2> <p>You can use GraphQL queries to create account-level API keys.</p> <p>To create an account-level API key, enter:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">POST `https://graphql.us.jupiterone.io/` </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">mutation CreateToken($token: TokenInput!) { createToken(token: $token) { token id name category policy revoked createdAt expiresAt __typename } } </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "variables": { "token": { "name": "Token Name", "category": "tags", "policy": "{\n\t\"permissions\": [{\n\t\t\"effect\":\"ALLOW\",\n\t\t\"actions\":[\"dashboard:View\" ],\n\t\t\"resources\": [ \"dashboard:123456\" ]\n\t}]\n}" } } } </pre> <p><strong>Note</strong>: Wildcards are not supported for account-level API tokens.</p> <p>The <code class="code codeInline" spellcheck="false" tabindex="0">policy</code> variable is a JSON object formatted as follows:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "permissions": [ { "effect": "ALLOW", "actions": ["dashboard:View"], "resources": ["dashboard:123456"] } ] } </pre> <p>The effect parameter is ether <code class="code codeInline" spellcheck="false" tabindex="0">ALLOW</code> or <code class="code codeInline" spellcheck="false" tabindex="0">DENY</code> and is case-sensitive. Currently, J1 only supports fully-qualified actions and resources or the wildcard <code class="code codeInline" spellcheck="false" tabindex="0">*</code>.</p> <p>Supported actions include:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">"compliance:GetStandard", "compliance:GetSummary", "dashboard:View", "persister:GetEntityRawData", "persister:Synchronize", "query:GetAccountEntity", "query:ReadGraphData", "settings:GetSettings", "parameters:GetParameter", "parameters:GetParameterList", "parameters:SetParameter", "parameters:DeleteParameter" "*" // All actions </pre> <p>Supported resources include:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">"account:<resourceId>", "api:<resourceId>", "compliance-standard:<resourceId>", "dashboard:<resourceId>", "entity:<resourceId>", "integration:<resourceId>", "powerup:<resourceId>", "settings-category:<resourceId>", "parameter:<resourceId>" "*" // All resources </pre> <p>The action <code class="code codeInline" spellcheck="false" tabindex="0">query:ReadGraphData</code> may be constrained by a condition. For the policy to allow access to a graph object, that graph object must have the properties specified in the condition and those properties must have the values specified in the condition. These J1QL Query Policies must include <code class="code codeInline" spellcheck="false" tabindex="0">effect: "ALLOW"</code>; <code class="code codeInline" spellcheck="false" tabindex="0">actions: ["ReadGraphData"]</code> (or <code class="code codeInline" spellcheck="false" tabindex="0">actions: ["*"]</code>); and <code class="code codeInline" spellcheck="false" tabindex="0">resources: ["*"]</code>. In addition, their <code class="code codeInline" spellcheck="false" tabindex="0">conditions</code> block must contain an object of the <code class="code codeInline" spellcheck="false" tabindex="0">stringEquals</code> comparison. For example, this policy only allows its user to query for graph objects that have the property <code class="code codeInline" spellcheck="false" tabindex="0">_type</code> equal to <code class="code codeInline" spellcheck="false" tabindex="0">github_repo</code>:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "permissions": [ { "effect": "ALLOW", "actions": ["query:ReadGraphData"], "resources": ["*"], "condition": { "stringEquals": { "_type": "github_repo" } } } ] } </pre> <h3 data-id="revoke-account-level-api-keys">Revoke Account-Level API Keys</h3> <p>To revoke an account-level key, enter:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">POST `https://graphql.us.jupiterone.io/` </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">mutation RevokeToken($id: String!) { revokeToken(id: $id) { token id name category policy revoked createdAt expiresAt __typename } } </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "variables": { "id": "<tokenId>" } } </pre> </article> </main>