Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Creating User and Account API Keys - AskJ1 Community
<main> <article class="userContent"> <p>API keys enable users to use the J1 APIs in queries and with integrations. You can enable the use of API keys for a group of users and create API keys for your organization account.</p> <h2 data-id="enable-user-level-api-key-access">Enable User-Level API Key Access</h2> <p>You must have the Administrator permission to enable API key access.</p> <p>To enable API key access for a group of users:</p> <ol><li>Go to <strong>Settings <img src="https://us.v-cdn.net/6035534/uploads/LWA1WIC15Z9V/gear.png" alt="gear" class="embedImage-img importedEmbed-img"></img> > Users & Access</strong> <img src="https://us.v-cdn.net/6035534/uploads/2L5GOLAKKVTE/users.png" alt="users" class="embedImage-img importedEmbed-img"></img>.</li> <li>Select the group for whom you want to enable API access.</li> <li>Select <strong>Enable API key access for users in this group</strong>.<br> </li> </ol><p><img src="https://us.v-cdn.net/6035534/uploads/UDFII1GUELCU/api-key-access-group-enable.png" alt="" class="embedImage-img importedEmbed-img"></img></p> <p>An API key icon appears in the My Profile view for each user in the group that has API key access.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/ZLCJYW6F96CV/my-profile-key.png" alt="my-profile" class="embedImage-img importedEmbed-img"></img></p> <h2 data-id="create-account-level-api-keys">Create Account-Level API Keys</h2> <p>You can manage user-level keys in the Account Management page. You must have administrator permissions to make changes to account-level API keys.</p> <p>To generate a new API key or manage existing API keys:</p> <ol><li>Log in to the account you want to manage.</li> <li>Go to <strong>Settings</strong> <img src="https://us.v-cdn.net/6035534/uploads/LWA1WIC15Z9V/gear.png" alt="gear" class="embedImage-img importedEmbed-img"></img><strong>></strong> <strong>Account Management</strong>.</li> <li>In the left panel, click the key icon.<br> <br><img src="https://us.v-cdn.net/6035534/uploads/S2B7TMYAN7DI/api-key-acct-mgmt.png" alt="api_key_acct-mgmt" class="embedImage-img importedEmbed-img"></img><br> </li> <li>In the User API Keys page, click <strong>Add</strong> <img src="https://us.v-cdn.net/6035534/uploads/PSNLH45ME2L0/api-keys-plus.png" alt="api-keys-plus" class="embedImage-img importedEmbed-img"></img>.</li> <li>In the API Keys modal, enter the name of the key and the number of days before it expires, and click <strong>Create</strong>.</li> </ol><p>To revoke an API key, in the User API Keys page, go to the key you want to revoke and click the trash<br> icon <img src="https://us.v-cdn.net/6035534/uploads/ULPV0O2UE1BB/trash.png" alt="trash" class="embedImage-img importedEmbed-img"></img>.</p> <h2 data-id="create-integration-api-keys">Create Integration API Keys</h2> <p>You must have administrator permissions to be able to create keys and the selected integration must have at least one<br> configuration.</p> <p>To create API keys that you can use with your J1 integration:</p> <ol><li>Go to <strong>Settings <img src="https://us.v-cdn.net/6035534/uploads/LWA1WIC15Z9V/gear.png" alt="gear" class="embedImage-img importedEmbed-img"></img> > Integrations</strong>.</li> <li>Select the integration for which you want to create an API key.</li> <li>Select the configuration you want to edit.</li> <li>Scroll down to Integration API Keys and click <strong>Create</strong>.</li> <li>When prompted, click <strong>Create</strong> again to confirm your action.</li> </ol><p>The key is now available for you to use to synchronize data in this integrations.</p> <p><img src="https://us.v-cdn.net/6035534/uploads/NGS6NUQVPBQY/api-integration-create-key.png" alt="api-integration-create-key" class="embedImage-img importedEmbed-img"></img></p> <p>To delete the API key at any time, click <strong>Revoke</strong>.</p> <h2 data-id="create-api-keys-using-the-graphql-api">Create API Keys Using the GraphQL API</h2> <p>You can use GraphQL queries to create account-level API keys.</p> <p>To create an account-level API key, enter:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">POST `https://j1dev.apps.dev.jupiterone.io/api/graphql` </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">mutation CreateToken($token: TokenInput!) { createToken(token: $token) { token id name category policy revoked createdAt expiresAt __typename } } </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "variables": { "token": { "name": "Token Name", "category": "tags", "policy": "{\n\t\"permissions\": [{\n\t\t\"effect\":\"ALLOW\",\n\t\t\"actions\":[\"dashboard:View\" ],\n\t\t\"resources\": [ \"dashboard:123456\" ]\n\t}]\n}" } } } </pre> <p><strong>Note</strong>: Wildcards are not supported for account-level API tokens.</p> <p>The <code class="code codeInline" spellcheck="false" tabindex="0">policy</code> variable is a JSON object formatted as follows:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "permissions": [ { "effect": "ALLOW", "actions": ["dashboard:View"], "resources": ["dashboard:123456"] } ] } </pre> <p>The effect parameter is ether <code class="code codeInline" spellcheck="false" tabindex="0">ALLOW</code> or <code class="code codeInline" spellcheck="false" tabindex="0">DENY</code> and is case-sensitive. Currently, J1 only supports fully-qualified actions and resources or the wildcard <code class="code codeInline" spellcheck="false" tabindex="0">*</code>.</p> <p>Supported actions include:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">"compliance:GetStandard", "compliance:GetSummary", "dashboard:View", "persister:GetEntityRawData", "persister:Synchronize", "query:GetAccountEntity", "query:ReadGraphData", "settings:GetSettings", "parameters:GetParameter", "parameters:GetParameterList", "parameters:SetParameter", "parameters:DeleteParameter" "*" // All actions </pre> <p>Supported resources include:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">"account:<resourceId>", "api:<resourceId>", "compliance-standard:<resourceId>", "dashboard:<resourceId>", "entity:<resourceId>", "integration:<resourceId>", "powerup:<resourceId>", "settings-category:<resourceId>", "parameter:<resourceId>" "*" // All resources </pre> <p>The action <code class="code codeInline" spellcheck="false" tabindex="0">query:ReadGraphData</code> cannot be applied to resources other than the wildcard resource (<code class="code codeInline" spellcheck="false" tabindex="0">*</code>). However, it may be constrained by a condition. For the policy to allow access to a graph object, that graph object must have the properties specified in the condition and those properties must have the values specified in the condition. For example, this policy only allows its user to query for graph objects that have the property <code class="code codeInline" spellcheck="false" tabindex="0">_type</code> equal to <code class="code codeInline" spellcheck="false" tabindex="0">github_repo</code>:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "permissions": [ { "effect": "ALLOW", "actions": ["query:ReadGraphData"], "resources": ["*"], "condition": { "stringEquals": { "_type": "github_repo" } } } ] } </pre> <p>Currently, only the <code class="code codeInline" spellcheck="false" tabindex="0">/j1ql</code> REST route supports the <code class="code codeInline" spellcheck="false" tabindex="0">query:ReadGraphData</code> permission. The GraphQL API (<code class="code codeInline" spellcheck="false" tabindex="0">queryV1</code>) does not.</p> <h3 data-id="revoke-account-level-api-keys">Revoke Account-Level API Keys</h3> <p>To revoke an account-level key, enter:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">POST `https://j1dev.apps.dev.jupiterone.io/api/graphql` </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">mutation RevokeToken($id: String!) { revokeToken(id: $id) { token id name category policy revoked createdAt expiresAt __typename } } </pre> <pre class="code codeBlock" spellcheck="false" tabindex="0">{ "variables": { "id": "<tokenId>" } } </pre> </article> </main>