NOTICE: JFrog Artifactory API Key Deprecation
- Jonathan Chiou
JFrog has announced that they will be deprecating the use of their API Keys for Artifactory by the end of 2024.
In place of JFrog API keys, all users will need to migrate over to JFrog tokens.
This means that users of the Cardinal Mobile SDK will need to log in to their JFrog Artifactory account and follow the steps to create a new token (or tokens), and then replace any instances of their old API key with the new token (or tokens) prior to the end of 2024 in order to avoid any disruption to app development where the CMSDK is in use.
JFrog has provided a guide on how to create these tokens that can be accessed here: Introducing JFrog Access and Identity Tokens
According to JFrog: “You can use this token to access the application (Artifactory) in place of a password, just like an API key”, which should make the process of transitioning from API keys to tokens relatively simple.
FAQ
Q: What are the types of JFrog tokens?
A: JFrog Access and Identity tokens are the new method of user authentication for the JFrog platform. JFrog’s Access Tokens are standard JSON Web Tokens (JWTs) that provide flexibility and security by setting various token properties, which in turn control the token’s permissions, lifecycle, accessibility and more. You can read more about JFrog’s access tokens here.
One type of Access Token is called an Identity Token, which is an Access Token that is scoped (targeted) to a specific user’s permissions (their identity). Using an Identity Token is key to accessing the other types of tokens, such as Reference Tokens.
The JFrog Reference Token is simply a short string of characters that refers to an actual token. This type of token will inherit the configurations of the parent Identity token and may be preferable to use as it will be much shorter in length compared to the JWT format of the Identity token.
Q: How can I create a new Identity token?
A: Please follow the documentation created by JFrog to create new identity tokens:https://jfrog.com/help/r/jfrog-platform-administration-documentation/generate-identity-token
Q: Can I still create API Keys?
A: By the end of Q3, 2024, you will not be able to create new API keys through the JFrog UI or API.
Q: When does support of API Keys stop completely?
A: There is no specific date provided by JFrog at the time of this writing, but by the end of Q4 2024, JFrog Artifactory will no longer support API keys.
Q: Do the new tokens expire?
A: Yes, the new tokens have expiry dates that can be configured at the time of their creation.
Q: Can they be refreshed?
A: Yes, but only if that was enabled at the creation of the token and only if that type of token can be refreshed.
Q: Can I use a token in place of an API key?
A: Yes, in many cases a direct replacement of the previously used API Key is all that is needed. For example, where the JFrog API Key would be used in an API call in a password field, substituting a token in its place is all that is needed.
Q: Can Cardinal create the new JFrog Artifactory token for me?
A: Unfortunately, no, all users must use the JFrog REST API to generate tokens for themselves or do so through the Artifactory UI. Please refer to JFrog’s documentation on how the create the token here: https://jfrog.com/help/r/jfrog-platform-administration-documentation/generate-identity-token
For more information on the deprecation of API keys for JFrog Artifactory, please refer to JFrog’s documentation: https://jfrog.com/help/r/platform-api-key-deprecation-and-the-new-reference-tokens/jfrog-s-legacy-of-api-keys
If you have any issues in updating from API keys to JFrog tokens and are unable to find answers in JFrog’s documentation, please reach out to your Cardinal account manager for assistance.