Overview
Access Keys allow you to authenticate programmatic access to Backline’s API and connect external tools to your Backline account. Create, manage, and revoke access keys to maintain secure integrations.What are Access Keys?
Access Keys are authentication credentials that enable:- API access for custom integrations
- Programmatic interaction with Backline
- Integration with CI/CD pipelines
- Third-party tool connections
- Automated workflows and scripts
Accessing Access Keys
1
Navigate to Settings
Click on Settings in the main navigation menu.
2
Select Access Keys
Choose Access Keys from the settings menu.
3
Manage Keys
View, create, or revoke access keys as needed.
Creating an Access Key
1
Click Create
In the Access Keys page, click the Create Access Key button.
2
Name Your Key
Provide a descriptive name to identify the key’s purpose (e.g., “CI/CD Pipeline”, “External Scanner”).
3
Set Permissions
Choose the appropriate permissions and scopes for this key.
4
Generate
Click Generate to create the access key.
5
Save the Key
Copy and securely store the generated key. You won’t be able to view it again.
Managing Access Keys
Viewing Active Keys
The Access Keys page displays:- Key name and description
- Creation date
- Last used date
- Permissions and scopes
- Status (Active/Inactive)
Revoking Access Keys
To revoke an access key:1
Locate the Key
Find the key you want to revoke in the list.
2
Click Revoke
Click the Revoke or delete button next to the key.
3
Confirm
Confirm that you want to revoke the key.
Revoking an access key immediately invalidates it. Any integrations using that key will stop working until you provide a new key.
Best Practices
Use Descriptive Names
Use Descriptive Names
Name your access keys based on their purpose and where they’re used. This makes it easier to identify and manage them later.Good examples:
- “Production CI/CD Pipeline”
- “Staging Environment Scanner”
- “External Monitoring Tool”
Principle of Least Privilege
Principle of Least Privilege
Grant only the minimum permissions necessary for each access key. If a key only needs to read vulnerabilities, don’t give it write permissions.
Regular Rotation
Regular Rotation
Rotate access keys periodically (e.g., every 90 days) to maintain security. Create a new key, update your integrations, then revoke the old key.
Secure Storage
Secure Storage
Never commit access keys to version control or share them in plain text. Use:
- Environment variables
- Secrets management systems (e.g., AWS Secrets Manager, HashiCorp Vault)
- Secure password managers
Monitor Usage
Monitor Usage
Regularly review the “Last used” date for each key. Revoke keys that haven’t been used recently to reduce your security surface.
Use Cases
External Monitoring
Use access keys to:- Connect monitoring dashboards
- Export vulnerability data to external systems
- Integrate with security information and event management (SIEM) tools
Custom Automation
Build custom scripts that:- Generate security reports
- Automate remediation workflows
- Sync data with other systems
Troubleshooting
Authentication Failed
If you receive authentication errors:- Verify the access key is copied correctly (no extra spaces or characters)
- Check that the key hasn’t been revoked
- Ensure the key has the necessary permissions for the requested operation
- Confirm you’re using the key in the correct API endpoint
Key Not Working After Creation
If a newly created key isn’t working:- Wait a few moments (key propagation may take seconds)
- Verify you copied the entire key during creation
- Check that you’re using the correct API format and headers
Security Considerations
- Access keys provide full access to your Backline account based on assigned permissions
- Treat access keys like passwords - never share them publicly
- If you suspect a key has been compromised, revoke it immediately
- Monitor API usage for unusual activity
- Use different keys for different purposes to limit potential damage if one is compromised