Unmanageable API Key Whitelists
Enterprises with a lot of active software development groups have unmanageable API Key whitelists. This manifests in a lot of ways.
There is no way to limit API Keys to development (limit liability). Typical dev-qa-prod cycle requires 3 API keys. No way to associate API Keys to specific projects. There is no way to tell if old API Keys are still in use.
AdminDaniel Kaplan
(Admin, Box)
shared this idea
Delivered - we have removed the allowlist for user auth apps and moved those apps to the new user auth tab. Details here: https://medium.com/box-developer-blog/custom-apps-manager-updates-c79ccf8ebe97
Sandbox enhancements are being tracked separately.
-
AdminRory Paap
(Admin, Box)
commented
There are 2 key topics here:
1. WHITELIST MANAGEMENT: If unpublished apps are disabled by default, admins must a) know the API key to enter, then b) paste that API key into the exemption field, then c) somehow keep track of which API key belongs to which app as there's no way to tell in the product.
REQUEST: Make the unpublished app API key section much more similar to the Custom Applications section that already exists where the UI tells you which app it is once you add an API key.
2. VISIBILITY: Currently, we don't provide admins any visibility to see which applications have been created by their managed users. A side effect of this is that if companies have the 'disable unpublished apps by default' setting enabled (see above), users must manually copy/paste their API key to the admin in order for it to get whitelisted.
REQUEST: Add an 'applications created by your Managed Users' section to the Admin Console Enterprise Settings -> Apps page to a) give admins visibility into the applications created by their users and b) provide an easier way to add these unpublished applications to the whitelist.
-
AdminChristopher Drubka
(Admin, Box)
commented
Currently, in the API Key Whitelist area, there's no way to tell which API key applies to which application.
End users (admins) have no way to look these up easily, and must do research on their dev side or contact Box to identify the associated application. It becomes unmanageable at scale when enterprises have many API keys whitelisted. It's also important to know which keys are which for internal and external audits.