Skip to main content
You can use API keys to engage with Endor Labs services programmatically to enable any automation or integration with other systems in your environment. See Manage API keys for more information on how to create and delete API keys. Ensure that you rotate API keys regularly to limit how long a stolen API key stays valid.
Instead of using API keys, you can use keyless authentication to authenticate with Endor Labs services. See Keyless authentication for more information. Using keyless authentication eliminates the need to manage API keys and reduces the risk of API key compromise.
You can use the Endor Labs API to programmatically create scripts to manage API keys.

Check for expiring API keys

API key expiry can cause interruptions in your workflows. It is a good practice to check for expiring API keys so that you can rotate them before they expire. You can use the following script (key-expiry.sh) to check for expiring API keys. By default, the script checks for API keys that expire in the next day in the currently configured namespace. You can pass the -d flag with a number to check for API keys that expire in the next n days. You can also pass a namespace with the -n flag followed by the namespace name to check for expiring API keys in a specific namespace. The script uses jq to parse the json response and generate a formatted output. If you do not have jq installed, the script provides a json output.
The script returns the API keys that are expiring in the specified days. The output contains the key name, expiry date, and the information about the user that created the key. You can inform the user that the API key is expiring in the specified days and ask them to rotate the API key. See Create API keys for more information on how to create API keys.

Create a cron job to check for expiring API keys

You can also create a cron job to run the script at a regular interval and fetch the details of the expiring API keys. The following example shows a cron job script, check_key_expiry_cron.sh, that wraps the key-expiry.sh script, and sends an email to the specified email address if there are expiring API keys. Configure the script with the script path, number of days to check, email address for the report, and namespace.
Run the following command to create a cron job that runs the script at 8 AM every day if you keep the script in your home directory.

Check for API keys with long expiry

API keys with long expiry can be a security risk. The Endor Labs Create API key endpoint allows you to create API keys with expiry time of over 365 days. Such long expiry times may not be necessary and incompatible with your security policies. You can use the following script (check_long_expiry_keys.sh) to check for API keys with long expiry. The script checks for API keys with expiry dates longer than 365 days by default on the currently configured namespace. You can pass the -d flag with a number to check for API keys with expiry days according to the number you pass. You can also choose to pass an Endor Labs namespace to search for long expiry API keys in a specific namespace with the -n flag followed by the namespace name. The script uses jq to parse the json response.
The script returns the API keys with expiry dates longer than the number of days, expiry date, and the information about the user that created the key.

Clean up expired API keys

You should regularly check for and delete expired API keys. Keeping only active and necessary API keys can improve system performance by reducing the volume of data Endor Labs processes during authentication checks. Regular cleanup makes it easier to manage and monitor active keys, allowing for better oversight of API access and usage patterns. You can use the Endor Labs API to check for expired API keys and delete them. The following script (delete-expired-keys.sh) checks for expired API keys and presents the options to delete them. You can choose to pass an Endor Labs namespace to search for expired API keys in a specific namespace. If you do not pass a namespace, the script checks for expired API keys in the currently configured namespace. The script uses jq to parse the json response.

Create a cron job to check for expired API keys

You can also create a cron job to run the script at a regular interval. The following example shows a cron job script, check_expired_keys_cron.sh, that wraps the delete-expired-keys.sh script. Configure the script with the operation mode (delete or report), script path, email address, and namespace.
You can use the following command to create a cron job that runs the script at 8 AM every day.