The PHC platform allows users to create and manage API Keys that can be used by applications to access the LifeOmic API. Instead of having to do the normal authentication process of entering in user credentials, an API Key can be supplied instead that acts on behalf of the user and provides the same level of access within the account.
This procedure requires the Manage API Keys permission. This permission is not contained in the default Administrator privileges. To add this permission, see Create a Custom Policy for Access Control.
Set up API Keys
- Go to https://apps.us.lifeomic.com to sign in and complete the steps to access your account in PHC.
- From any page in PHC, click the logo at the top of the page.
- From the home page, click the Account Info tile.
- Click the API Keys tab.
- Click Add.
- Enter a name in the Name field.
- Enter a number in the Days before expiration field. (The minimum number of days is 1 and the maximum is 365.)
- Click Add.
- After the key is created, a New API Key dialog shows the key value. Copy and store the API key value in a secure location, such as a password manager. Note: This is the only time you can copy the key value.
- From the API Keys screen, you can see the list of current API keys. Every API Key has an expiration date. Once a key has expired it can no longer be used. This is in place to encourage users to rotate their keys on a regular schedule.
If the API key did not appear on your API Keys screen, refresh your browser window. If it still does not appear, check that you have the access control permission Manage API Keys.
A best practice is to rotate API keys on a regular basis. To ensure this, all API keys have a required expiration with a maximum length of 365 days. Determine the rotation interval that works best for your use case. Because API keys tend to spread into code repositories or unnecessary locations during active development (for instance, docker containers), optimizing the continuous delivery pipeline to handle API key rotation will ensure this process is streamlined.
You can also delete a key from the API Keys screen. Deleting a key makes it invalid immediately. Only delete a compromised key or a key you no longer wish to use.