Skip to content

Add API Keys page (security/api-keys.md) #42

Open
Open
Add API Keys page (security/api-keys.md)#42
@michaellwest

Description

@michaellwest
michaellwest
opened on Mar 31, 2026

Context

SPE 9.0 introduces Remoting API Keys (#1426 in Console repo) that bind shared secrets to restriction profiles, enabling per-consumer security policies with throttling.

Proposed Location

security/api-keys.md

Content to Cover

Overview

  • What API Keys are: item-based credentials that bind a shared secret to a restriction profile
  • Location in content tree: /sitecore/system/Modules/PowerShell/Settings/Remoting/API Keys/
  • Template: Remoting API Key

API Key Fields

Field Type Purpose
SharedSecret Single-Line Text Authentication credential (compared with constant-time comparison)
Enabled Checkbox Enable/disable this key
Profile Single-Line Text Restriction profile to apply for this consumer
ImpersonateUser Single-Line Text Optional Sitecore user to impersonate
RequestLimit Integer Max requests per throttle window
ThrottleWindow Integer Throttle window in seconds

Setup Walkthrough

  1. Navigate to /sitecore/system/Modules/PowerShell/Settings/Remoting/API Keys/
  2. Create new item using Remoting API Key template
  3. Set shared secret, select profile, configure throttling
  4. Use the shared secret in client New-ScriptSession calls

Authentication Flow

  • API Key lookup happens first (by shared secret match)
  • Falls back to legacy JWT/bearer authentication if no API Key matches
  • Profile from API Key overrides service-level default

Request Throttling

  • Per-key rate limiting with configurable window and limit
  • Response headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
  • 429 Too Many Requests response with Retry-After header when exceeded

Client-Side Usage

# Using API Key shared secret
$session = New-ScriptSession -Username admin -Password b `
    -ConnectionUri https://spe.dev.local -SharedSecret "my-api-key-secret"

Caching

  • API Keys cached with 10-second TTL (configurable via Spe.AuthorizationCacheExpirationSecs)
  • Cache invalidated on item save/delete

Security Considerations

  • Use unique shared secrets per consumer
  • Assign least-privilege profiles
  • Enable throttling for external consumers
  • Duplicate secret warnings logged automatically

Related

  • Depends on Console repo feature/clm branch (#1426)
  • Links to: restriction-profiles.md, web-services.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions