At Humanitec we’re excited to announce a new way to manage API tokens with the Platform Orchestrator. We get the challenges and complexities around token management. Which is why we’ve swapped out the old API tokens settings with a new Service User page that offers a new secure, transparent way to control RBAC permissions, token expiration dates, and storage.
The static tokens headache
The Humanitec API enables automation and integration of the Humanitec Platform Orchestrator into your developer and operational workflows. Almost all requests to the Humanitec API require authentication. This is where static tokens step in as the bridge between machines and the Humanitec API. When connecting your CI pipeline to Humanitec (and for other similar scenarios), static tokens play a vital role. To ensure security and control, static tokens should be used purposefully and tailored to specific needs. However, as your tech stack grows, managing an array of static tokens (e.g. keeping track of token relevance, expiration dates, and the ideal token for a diverse use case) can be tricky. After all, the impact of ineffective token management could extend way beyond workflow hiccups. For example, new security vulnerabilities may develop with the potential to shake up your entire tech ecosystem.
Scoped API tokens and Service Users in action
Ok, time to take charge of your token universe. To help you do this we made a big change to how API tokens are managed in Humanitec. Say hello to Service Users, the new stars of token management. What we’ve done here is replace the old API tokens settings with a new Service User page. Let's dive into the details of what these changes mean for you, starting with an overview of Service Users.
A Service User is a non-human user. In other words, a system user that cannot be directly logged into. In Humanitec, API tokens can be generated from Service Users and are used to interact with Humanitec’s API on the Service User’s behalf.
Creating a Service User is easy. In the Service User settings, click on "Create new Service User." From there you assign a memorable name to the Service User, and designate an organisation role.
If you need your Service User to access specific applications or environment types, you can assign application and deployer rights. Just as you would for a regular organization member. This makes sure that your Service User has the necessary permissions to operate seamlessly within your defined workflows.
How to issue an API token in the new UI
To get an API token, you first need to create a Service User and assign a specific set of RBAC (Role-Based Access Control) roles to it. Then, simply select an ID and provide a description to identify the token purpose. After that, you're all set!
The role assigned to the API token is inherited from the Service User and cannot be modified independently. By default, the token has an unlimited duration. You're also able to select an expiration date for the token if needed.
Remember, the API token will be displayed only once — so keep it somewhere safe.
You also have the option to revoke API tokens at any time by selecting the revoke button.
What are Artefact Contributors?
When checking out the new UI you may discover an addition to our organization roles. We now offer the ability to assign Service Users the role of Artefact Contributor. This role is ONLY for Service Users and can’t be assigned to regular organization members.
Artefact contributors can fetch hosted registry credentials, list and add image builds, and list all applications they can access. This role can be assigned by organization administrators and managers.
How to get started
We hope you enjoy exploring the new feature and if you have questions or need any help, please get in touch. Our team is always here to make sure you have the best experience.