BED-7559: API key expiration#251
Conversation
|
Preview deployment for your docs. Learn more about Mintlify Previews.
|
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughDocumentation expanded to introduce and explain BloodHound Enterprise API key expiration feature, including new dedicated configuration page, updates to security overview, integration guides, and collector setup instructions. Terminology across docs updated from "API key/ID pair" to "non-personal API token." Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| description: Learn how to configure API key expiration in BloodHound Enterprise to enhance security and meet compliance requirements. | ||
| --- | ||
|
|
||
| <img noZoom src="/assets/enterprise-edition-pill-tag.svg" alt="Applies to BloodHound Enterprise only" /> |
There was a problem hiding this comment.
TODO: Confirm if BHE only
There was a problem hiding this comment.
It should work in BHCE too. Even if we're not expecting many people to use it in BHCE
There was a problem hiding this comment.
Removed BHE-only flags
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 4
♻️ Duplicate comments (1)
docs/manage-bloodhound/auth/api-key-expiration.mdx (1)
24-24:⚠️ Potential issue | 🟠 MajorResolve contradictory guidance on existing API keys.
This page currently says existing keys are both affected and unaffected after enabling expiration. That creates operational ambiguity for admins planning rotation and can lead to outages. Please make these statements consistent and reflect one verified behavior throughout the bullets, table, and step text.
Also applies to: 34-35, 58-62
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/manage-bloodhound/auth/api-key-expiration.mdx` at line 24, Pick the verified system behavior (whether enabling API key expiration affects existing API keys or not) and make the document consistent: update the sentence "After enabling API key expiration, all existing API keys will be set to expire based on the configured validity period." plus the other conflicting statements in the bullets, table, and step text so they all state the same verified behavior, remove or reword any sentence that contradicts it, and add a short clarifying note about what admins must do for existing keys (e.g., rotation steps if they are affected) to avoid ambiguity; ensure you change the sentence, the bullet list entries, and the table/step descriptions referenced in this file so every occurrence matches the chosen behavior.
🧹 Nitpick comments (3)
docs/snippets/integrations/servicenow-create-user.mdx (1)
7-7: Update related ServiceNow snippet for consistent terminology.The change on line 7 correctly uses "non-personal API token pair", aligning with the PR's terminology standardization. However,
servicenow-connect-bloodhound.mdx:77still uses "token key and token ID" (though line 79 clarifies these refer to the "non-personal API token pair"). Since both snippets are used together in the ServiceNow integration workflow, update the related file to use "non-personal API token pair" consistently throughout.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/snippets/integrations/servicenow-create-user.mdx` at line 7, Replace the inconsistent phrase "token key and token ID" in the related ServiceNow snippet with "non-personal API token pair" so terminology matches the updated snippet; locate the sentence(s) containing the exact string "token key and token ID" and update them to use "non-personal API token pair" (keeping any clarifying parentheses or examples intact) and ensure any subsequent references in that snippet also use the same term.docs/snippets/auth/api-key-expiration.mdx (1)
2-2: Broaden scope from integrations to integrations and collector clients.This shared snippet is used in collector-client setup flows, so “integration configuration” is too narrow and can mislead readers in those contexts.
✏️ Proposed wording update
- If a BloodHound Enterprise administrator has [configured API key expiration](/manage-bloodhound/auth/api-key-expiration), plan to regenerate API tokens and update the integration configuration before they expire to prevent disruptions. + If a BloodHound Enterprise administrator has [configured API key expiration](/manage-bloodhound/auth/api-key-expiration), plan to regenerate API tokens and update integration or collector client configuration before they expire to prevent disruptions.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/snippets/auth/api-key-expiration.mdx` at line 2, The sentence in the shared snippet uses the narrow phrase "integration configuration" which can mislead collector-client setup flows; update the wording to broaden the scope to include collector clients (e.g., change "update the integration configuration" to "update the integration configuration and collector client settings" or similar) so the snippet applies to both integrations and collector clients while preserving the rest of the sentence about regenerating API tokens before they expire.docs/integrations/splunk/siem/install.mdx (1)
95-95: Note: Same anchor inconsistency as Splunk SOAR.This page also uses the singular anchor
#non-personal-api-token. Ensure consistency with other integration docs and verify the anchor exists in the target page.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/integrations/splunk/siem/install.mdx` at line 95, The Note uses a singular anchor (/integrations/bloodhound-api/working-with-api#non-personal-api-token) which is inconsistent with other integration docs; open the target page (working-with-api) to confirm the canonical anchor (e.g., plural form like `#non-personal-api-tokens`) and update the Note's link text to match that canonical anchor, replacing the href in the Note element and verifying the anchor actually exists on the target page so the link resolves correctly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/integrations/bloodhound-api/working-with-api.mdx`:
- Line 39: Remove the accidental trailing character 'å' from the bullet text "An
API token and token ID pair is generated in the Administration interface. API
tokens are primarily used for integrations and automation.å" in the docs content
by editing that sentence (e.g., in the string containing "An API token and token
ID pair is generated in the Administration interface...") so it ends with a
normal period and no stray characters.
- Line 39: The authentication summary in "authentication summary" currently
states API tokens are generated in Administration but later the "personal-token
flow" correctly references My Profile → API Key Management; update the summary
text to mention both creation paths (Administration interface for admin-issued
tokens and My Profile → API Key Management for personal API keys) and make the
same fix in the repeated paragraph around lines 107–113 so both locations
consistently describe both token-generation locations and their intended use.
- Around line 139-141: Replace the quoted key/value examples in the HTTP header
snippets with plain HTTP header format: change the snippet containing
"'Authorization': Bearer $JWT_TOKEN" to "Authorization: Bearer $JWT_TOKEN" and
similarly convert the block containing "'Authorization': bhesignature
$TOKEN_ID", "'RequestDate': $RFC3339_DATETIME", and "'Signature':
$BASE64ENCODED_HMAC_SIGNATURE" to plain lines "Authorization: bhesignature
$TOKEN_ID", "RequestDate: $RFC3339_DATETIME", and "Signature:
$BASE64ENCODED_HMAC_SIGNATURE"; make the same replacement for the other
occurrence of the bhesignature block referenced in the comment.
In `@docs/integrations/splunk/soar/configure.mdx`:
- Line 33: Update the broken anchor in the Markdown link by replacing the
singular fragment "#non-personal-api-token" with the plural
"#non-personal-api-tokens" in the link text "BloodHound Enterprise [non-personal
API
token](/integrations/bloodhound-api/working-with-api#non-personal-api-token)" so
it matches the target heading "Non-personal API tokens".
---
Duplicate comments:
In `@docs/manage-bloodhound/auth/api-key-expiration.mdx`:
- Line 24: Pick the verified system behavior (whether enabling API key
expiration affects existing API keys or not) and make the document consistent:
update the sentence "After enabling API key expiration, all existing API keys
will be set to expire based on the configured validity period." plus the other
conflicting statements in the bullets, table, and step text so they all state
the same verified behavior, remove or reword any sentence that contradicts it,
and add a short clarifying note about what admins must do for existing keys
(e.g., rotation steps if they are affected) to avoid ambiguity; ensure you
change the sentence, the bullet list entries, and the table/step descriptions
referenced in this file so every occurrence matches the chosen behavior.
---
Nitpick comments:
In `@docs/integrations/splunk/siem/install.mdx`:
- Line 95: The Note uses a singular anchor
(/integrations/bloodhound-api/working-with-api#non-personal-api-token) which is
inconsistent with other integration docs; open the target page
(working-with-api) to confirm the canonical anchor (e.g., plural form like
`#non-personal-api-tokens`) and update the Note's link text to match that
canonical anchor, replacing the href in the Note element and verifying the
anchor actually exists on the target page so the link resolves correctly.
In `@docs/snippets/auth/api-key-expiration.mdx`:
- Line 2: The sentence in the shared snippet uses the narrow phrase "integration
configuration" which can mislead collector-client setup flows; update the
wording to broaden the scope to include collector clients (e.g., change "update
the integration configuration" to "update the integration configuration and
collector client settings" or similar) so the snippet applies to both
integrations and collector clients while preserving the rest of the sentence
about regenerating API tokens before they expire.
In `@docs/snippets/integrations/servicenow-create-user.mdx`:
- Line 7: Replace the inconsistent phrase "token key and token ID" in the
related ServiceNow snippet with "non-personal API token pair" so terminology
matches the updated snippet; locate the sentence(s) containing the exact string
"token key and token ID" and update them to use "non-personal API token pair"
(keeping any clarifying parentheses or examples intact) and ensure any
subsequent references in that snippet also use the same term.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 8cfc5c07-61b1-4efe-9e58-63013e0bf8a6
⛔ Files ignored due to path filters (10)
docs/assets/image1-1.pngis excluded by!**/*.pngdocs/assets/image1-2.pngis excluded by!**/*.pngdocs/assets/image1-3.pngis excluded by!**/*.pngdocs/assets/image1-5.pngis excluded by!**/*.pngdocs/assets/image1-6.pngis excluded by!**/*.pngdocs/assets/image1-7.pngis excluded by!**/*.pngdocs/images/admin/create-token.pngis excluded by!**/*.pngdocs/images/admin/enable-api-key-expiration.pngis excluded by!**/*.pngdocs/images/admin/generate-api-token.pngis excluded by!**/*.pngdocs/images/admin/regenerate-auth.pngis excluded by!**/*.png
📒 Files selected for processing (19)
docs/analyze-data/configuration.mdxdocs/collect-data/enterprise-collection/create-collector.mdxdocs/docs.jsondocs/get-started/security-boundaries/enterprise-security-overview.mdxdocs/install-data-collector/install-azurehound/create-configuration.mdxdocs/install-data-collector/install-sharphound/local-configuration.mdxdocs/integrations/bloodhound-api/working-with-api.mdxdocs/integrations/cortex-xsoar/configure.mdxdocs/integrations/service-now/security-incident-response/configure.mdxdocs/integrations/service-now/vulnerability-response/configure.mdxdocs/integrations/splunk/siem/install.mdxdocs/integrations/splunk/soar/configure.mdxdocs/manage-bloodhound/auth/api-key-expiration.mdxdocs/manage-bloodhound/auth/overview.mdxdocs/manage-bloodhound/auth/users-and-roles.mdxdocs/snippets/auth/api-key-expiration.mdxdocs/snippets/auth/copy-api-token.mdxdocs/snippets/integrations/servicenow-connect-bloodhound.mdxdocs/snippets/integrations/servicenow-create-user.mdx
Scoubi
left a comment
There was a problem hiding this comment.
A few comments, some are repetitive, to make sure it's updated through out.
| | Rotation period changes | Each token keeps the earlier of its current expiration and now + configured days. | | ||
| | Feature disabled | Expiration enforcement stops immediately, expiration dates are cleared, and tokens no longer expire. | | ||
|
|
||
| To enable and configure API key expiration: |
There was a problem hiding this comment.
In BHE, users can't enable this (now)
There was a problem hiding this comment.
BHE Customers need to ask their TAM to enable this (for now)
| | Rotation period changes | Each token keeps the earlier of its current expiration and now + configured days. | | ||
| | Feature disabled | Expiration enforcement stops immediately, expiration dates are cleared, and tokens no longer expire. | | ||
|
|
||
| To enable and configure API key expiration: |
There was a problem hiding this comment.
BHE Customers need to ask their TAM to enable this (for now)
| Administrators can [configure expiration](/manage-bloodhound/auth/api-key-expiration) for all API keys in BloodHound Enterprise. This setting helps reduce long-lived credentials and supports internal compliance requirements. | ||
|
|
||
| * New API keys expire after 90 days by default. | ||
| * New API keys expire after 365 days by default. |
There was a problem hiding this comment.
Will put 90 days for now as we can't change the number of days (the change was not deemed important enough)
So we'll put 90 days everywhere here and change it later.
|
Reverted and re-created PR for a future release. See #262. |
Summary by CodeRabbit