TL;DR. Our new API Access management allows user-level keys, supports multiple keys with audit capabilities, provides options to disable or delete the API keys, and improves the overall security of ChartMogul APIs. Not to mention the increased flexibility this offers you and your team.
At ChartMogul, we continually push our limits to bring you the most comprehensive set of analytics features, the most integrations, and solve the most use cases with our APIs. In short, we’re building the best subscription analytics product on the market. Building ChartMogul over the last 7 years has meant listening to our users, and implementing changes to the product that bring them the most value. However, pursuing new territory and growing the product – making ChartMogul a more integrated part of our customers’ data ecosystem for example – has resulted in some technical debt. This is a common tale in the world of SaaS, and as Martin Fowler mentions in his Technical Debt Quadrant, some tech debt is inevitable. The latest upgrade to our API access management is the result of addressing some of this technical debt and, of course, listening to requests for our users.
To better illustrate just how important these changes are, we have to discuss them in contrast to how we’re currently managing API keys. ChartMogul users have historically used our APIs solely to import subscription data. Originally, we created API access management to address this one use case. Admins can create only one read-write API key and this key can be shared amongst everyone on the team – and for whatever purpose.
Now that we’ve introduced our Metrics API, created an iPhone app, and are currently creating multiple ways to export data out of ChartMogul, it’s become necessary to update our API Access Management solution to support new and complex scenarios, make the APIs more secure, and give greater flexibility to your team.
User-level multiple keys
Let’s dig into the details of the latest release. All users can create API keys with the API Access Management solution. Admins can create both read-write or read-only keys, and team members can create read-only keys.
You can also create multiple keys based on the need. For example, you can create a read-write key to import your subscription data into ChartMogul while a separate read-only key to get your metrics out of ChartMogul using the Metrics API. Admins can easily disable inactive keys, which is especially useful when offboarding employees.
What happens to my existing API keys?
You don’t have to make any changes to take any action if you don’t want to. Your existing keys will work as they are, but we strongly suggest moving to the new version of API Access management and creating separate keys for each of your integrations.
Regenerate, disable or delete an API key
If your key is compromised, then you can either regenerate the API Key or disable it. Disabling a key should be used as a temporary measure, and you can re-enable it if the key is not compromised. If you no longer need the API key, you can delete it. Please note that after regenerating a key, you should update your integrations with this new API Key.
We also added the ability to quickly copy your newly created keys by scanning the QR code. This will be by far the simplest way to login to your ChartMogul account in the iPhone app. We’ll be making the updates to the mobile version soon.
We’ve got your back
ChartMogul tracks all actions in the ChartMogul UI and API against a user which can help identify malicious actions or security breaches. It is important not to share your login details or your API keys with any other user. Just create separate keys for each integration.