The importance of knowing where and how API access tokens are being used against an account is a crucial part of maintaining data security. It can be difficult to know how far a token has spread in the wild. Perhaps it has been shared in an email here, maybe it was copy pasted into a chat app there. The modern world of cloud computing services has made it difficult to know where these slight indiscretions may have made a token visible to a person or system, without an administrator's knowledge. It can paint a scary picture in a world of continuous data leaks and security breaches.
This is where rotating out long lived tokens can be a beneficial practice. To summarize, token rotation is the process by which an authentication token is replaced by a new token and then retired or expired. The result is that if a token were to be exposed, its finite lifespan prevents it from becoming a long term threat. The frequency of rotation is something that can be negotiated by balancing usability, security, performance, and cost for any given use case. It may vary by company, by token, by integration, or any permutation of these and other factors.
A beneficial side effect of implementing token rotation practices can be that an admin becomes familiar with each use case and can react or plan strategically. In a worst case scenario, a single token with too much privilege or permission is implemented for every use case and has an unnecessarily long lifespan. Should this token be compromised, the only option is to expire it and react to the fallout. By practicing rotation, an admin should be familiar with the possible impact of a compromised token and take less drastic and more direct action.
TrackVia makes it easy to manage tokens. Simply create a new token for an API user and swap this token for its counterparts. Once the new token has been deployed and tested, its predecessor can be disabled through the TrackVia API Access system.
