API related question - managing API keys

Hi ​@benwanless -- just want to confirm I understand the question and then I can track down some answers -- you are referring to the Gainsight API key that a Gainsight Admin can set/refresh to provide to other data owners in your org that want to make API calls to Gainsight, yes?

And the issue is that when the Admin user who created or refreshed the token is set to Inactive (leaves the organization, etc.), the token is invalidated, yes?

If that’s the case, then I believe there are some roadmap items under discussion and I’ll check into it -- that said, given the current security climate, I wouldn’t be surprised if we also didn’t add a back-end process that invalidates an API key if it hasn’t been used for, say, X number of days/months and so on.

Let me know!

Scott

Hi ​@sdrostgainsightcom,

Just to add to ​@benwanless initial comment, as you say with recent events having the option to be more strict with credential rotations (and being enabled by default) would give admins much more flexibility with connections between GS and non-GS systems. Even an automated friendly reminder to GS admins to cycle their keys if the system notices it passes x number of days without a refresh would be good.

It provides that extra level of guidance without being too restrictive. That said, having optional settings to force changes would also be welcome. :)

Regards,

Matt