We are extending the API key model introduced for the RIPE Database to create a more consistent, secure, and flexible approach across RIPE NCC services.
Last year, we introduced API keys as an alternative authentication method for the RIPE Database, with the goal of phasing out MD5 password usage. This provided a more secure and flexible way for users to authenticate, particularly for automation and scripting.
Building on this approach, we have decided to adopt the same API technology for the existing API Keys within the LIR Portal.
In the LIR Portal, we currently provide three types of API Keys for our members: IP Analyser, My Resources, and RPKI Management. Until now, these keys were created in a central location within the LIR Portal. But with this change, API keys are created in their proper context - directly within the services for which they are used - while still being centrally visible and manageable via the RIPE NCC Access page.
A more flexible and secure approach
Compared the old implementation, the new API key model introduces several benefits:
- Usage visibility: users can see date/time each key was last used
- Fine grained permissions: API keys can now be scoped more precisely, for example to a specific Whois maintainer
- Improved security: API keys use a modern password-hashing algorithm and have a maximum expiration time of 1 year
- User and the organisation binding: if a user leaves an organisation, their API Keys automatically stops working, preventing access to organisation data
- Better navigation: we’ve also improved how API keys are accessed within the interface - e.g., a new “API Keys” dropdown in the “resources” section allows users to create and manage keys more easily.
All these changes give users more control while reducing potential security risks.
Rollout across services
We’re introducing this new approach in phases. As of 1 April, members will be able to create new API keys for IP Analyser and My Resources via this new approach. The RPKI management keys will follow in the second quarter.
The existing API keys creation page in the LIR Portal will remain available until the RPKI Management Keys migration is complete. However, we strongly encourage members to begin creating new API keys and revoking their existing ones as soon as possible.
Once the RPKI Management Keys has been migrated, we will gradually phase out the API keys creation page in the LIR Portal. Members will be given a three-month transition period to generate new keys and update their scripts accordingly.
Accessing resources and creating API keys
As part of all this, we’ve made it more straightforward for members to access resource information and create API keys within the interface.
The Resources section now provides direct access to both My Resources overview and the new IP Analyser page. In the case of IP Analyser, reports can be viewed immediately without needing to create an API key, making it easier to explore the data.
For users looking for automated access, API keys can be created directly from within the service. For example, on the IP Analyser page (below), the API Keys menu lets you create a key for this purpose. This makes resource information readily available through the interface while still supporting automated use where needed.
Together, we hope these changes bring a more consistent, flexible approach to how API keys are used across RIPE NCC services.
Comments 0