API and SSO Credential Management

API Keys and SSO Secret

API Keys & SSO Secrets are used for authentication purposes to ensure that requests are coming from an authorized source. This combination enhances security by ensuring that only the designated party can use the API services and SSO URLs.

SSO is an authentication mechanism that allows users to access multiple applications and websites with one set of credentials. For more information on SSO usage please see the Widgetized Campaign Manager SSO integration page.

MCM utilizes keys to authenticate and authorize all API requests. When making Decision, Event, and Management API requests. The request header must include the API key as well as the unique platform ID provided by Moloco. Please see the following example for more information.

Generating API Keys and SSO Secrets

MCM API Keys and SSO Secrets are generated using the Standalone Campaign Manager, in the Admin control panel under Credential Management. This allows platform developers to privately, securely, and efficiently self-manage their credentials. These secret keys should be kept confidential and only known to the client and the API service to prevent unauthorized access.

Administration

  • Managing API keys and SSO secrets is restricted to users with the "Platform Owner" role.

🚧

Caution

After an API key is generated customers should copy the key and store it immediately. API keys will only be displayed once during creation and are not retrievable afterwards.

Credential Manager features

  • Generate, view, or change a SSO secret.
  • Generate and designate a name for each API key.
  • Set a time-to-live (TTL) for an API key.
  • View the status of an API key, the key type, and the time remaining before expiration.
  • Delete API keys that are no longer in use or compromised.

Limitations

Maximum API secret keys per Platform10 Total (Including expired keys)
Maximum SSO secrets per Platform1
Maximum key name length128 Characters
TTL OptionsNo expiration, 1 day, 7, 14, 30, 60, 90, 180 days, 1 year

Best Practices

Storage

  • We recommend using a secure storage solution like AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager to store and manage your API keys and SSO secrets. These services provide encryption and access control mechanisms to protect your keys.

Limit access to keys

  • Restrict access to the API keys and SSO secrets using the principle of least privilege. Keys and secrets should be utilized solely by applications that require them for their core operations.
    Avoid unencrypted secrets
  • Do not store unencrypted secrets in Git repositories and avoid embedding API keys directly in your code or front end systems, this can lead to accidental exposure to the public.

Rotation and revocation

  • Regularly rotate your API keys and create a process to revoke keys if they are no longer in use or compromised; this minimizes the risk of long-term exposure. Time-to-live settings should follow your internal security guidelines.