Rework the API Creation/Storage process for a user


Revise the current way of creating API Keys in order to increase our security processes.

Here are some things to improve upon:

  • Stop the API key email that get's sent. The key should never be sent via email. We send it via email, because we create a key for them upon account creation.

  • Show a warning banner that they must create an API key if they log in and they don’t have any keys registered

  • The user must have a section where they can create multiple keys, not only one key

  • Have the ability for a key to have a permission scope: read only, read-write

  • When a key is created, show it to the user, but NEVER show it again, and make sure the user knows this.

  • The keys’s prefix and suffix should be visible for identification only of the right key

  • Store the keys in encrypted format or bcrypted format ( ??)

  • Would be great if they log in via CommandBox and they don’t have an API key, to actually, create it from there

  • Separate the current field in the user object to a separate table to store user keys


Eric Peterson
January 29, 2020, 6:05 PM

I would add that we don’t need to show the prefix or suffix. Rather let the user give the key a label, like GitHub personal access tokens.

Eric Peterson
January 29, 2020, 6:06 PM

One way hashing for the api keys.

Eric Peterson
January 29, 2020, 6:11 PM

I don’t think we need to force the user to create a token. Just a section on the site to create one or more. CommandBox can also automate this.

Luis Majano
January 29, 2020, 10:37 PM

Thanks I like the suggestions





Luis Majano




Fix versions


Affects versions