Sprintr Security: View rights do not give access to API Keys

1
Hi Fellow Mendix developers, In our project we are dealing with 3 different applicaties, which are being developed at the same time. In order to have an overview of all the user stories, feedback en tests that are stored in their own sprinter, we're implementing the "Stories API" app services. For the service to work, you need both the Project ID as well as the API Key, which are stored at home.mendix.com in the project settings section. Our Scrum master has generated an API Key, how ever all other members of the projects (which have viewing rights only) cannot see the the API Key. The website states clearly: "You do not have sufficient rights to access this page. You can contact your project's SCRUM Master to have this changed." It seems odd that none of the team members are allowed to view the API Key, despite the right 'View'. Is this a (known) bug in the security of the sprintr? Or am I missing something that explains why we can not see the API Key? Thanks in advance! Olivier
asked
1 answers
2

Hi Olivier,

Due to the privileges which are granted to an external app using the stories and feedback API, management of API keys is restricted to Scrum Masters only.

Regarding being able to look up an API key in general; you will only be able to view an API key on creation; after this it will only be stored in hashed form for security reasons, and you will not be able to view it again. If you no longer know the contents of an API key, you should revoke that key and create a new key instead.

(Note that this is a pretty common security measure, which is used by for example Google as well for granting external applications access to your Google account's information)

Kind regards,

Sjoerd Breur

answered