In case of a potential API key exposure, is it possible to reset the key? Also, what would be the impact on our live systems or those already deployed to client environments?
7 Answer(s)
-
0
hi
The API Key is the token of PRO packages hosted on nuget.abp.io. Your private NuGet source is https://nuget.abp.io/your_key/v3/index.json This is automatically added as a feed to your NuGet.Config in your ABP solution. Do not share your private key with unauthorized users!
If you reset it, the previous key will no longer be able to restore packages from nuget.abp.io.
The live system will not be affected since it does not need to restore the packages.
You can send an email to info@abp.io to request a reset.
Please include your organization's info in the mail.
Thanks.
-
0
Thank you for the explanation. I also have a related follow-up question:
- Should the appsettings.secrets.json file be included when deploying the application to client environments?
- If we reset the API key, how would that affect this file? Would it need manual updates, or is it handled automatically?
-
0
hi
Should the appsettings.secrets.json file be included when deploying the application to client environments?
Yes, You should include it.
The license code in
appsettings.secrets.jsonis different fromAPI Key.Resetting the API key will not affect the License code.
Thanks.
-
0
Regarding the same issue, is it possible to reset the license code?
-
0
Hi,
There are 2 ABP secret keys that are custom to your organization:
ApiKey: The private key to access nuget.abp.io server. All organizations have a dedicated private
ApiKey. This key is stored in theNuGet.configfile. If yourApiKeyis exposed, you can send an email to info@abp.io, and we can change yourApiKey. When we change it, the old key is invalidated and projects that still use that oldApiKeywill stop restoring ABP packages. If your system is on production, it will still run without any problem because you are not restoring packages. But it's advised to manually update yourApiKeyfor your CI/CD pipeline.AbpLicenseCode: The license code is used to validate how many and which developers are working on the ABP solution. Each developer must sign in via ABP CLI or ABP Studio to be able to write code on their ABP project. This code is stored in several
appsettings.secrets.jsonfiles in your startup projects. If yourAbpLicenseCodeis exposed, you can send an email to info@abp.io, and we can reset yourAbpLicenseCode. When we change it, the old license code is invalidated, and developers will see errors when they run their ABP project. As we use caching, the errors will arise after some time. You must manually update the oldAbpLicenseCode. To get your newAbpLicenseCode, you must create a new dummy project with the same project name and copy the newAbpLicenseCodefrom this new project into your existing project.
-
0
Dear ABP Team,
Thank you for the detailed explanation regarding the ABP secret keys (ApiKey and AbpLicenseCode). I appreciate the clear instructions on how to handle these keys, especially in cases where they might be exposed.
Your support is invaluable, and I’ll be sure to follow the outlined steps if needed. Thanks again for your assistance!
-
0
You're welcome. : )
