Skip to content

BED-7559: API key expiration#251

Merged
jeff-matthews merged 18 commits into
release/v9.0.0from
BED-7559-api-key-exp
Apr 9, 2026
Merged

BED-7559: API key expiration#251
jeff-matthews merged 18 commits into
release/v9.0.0from
BED-7559-api-key-exp

Conversation

@jeff-matthews

@jeff-matthews jeff-matthews commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Documentation
    • Added comprehensive API key expiration configuration documentation with step-by-step setup instructions
    • Updated terminology across integration guides from "API key/ID pair" to "API token"
    • Added API key expiration guidance in collector and integration configuration documentation
    • Updated authentication overview with link to API key expiration management
    • Added security notes for API token handling and manual rotation requirements

@jeff-matthews jeff-matthews self-assigned this Apr 1, 2026
@jeff-matthews jeff-matthews added next release Should be merged as the next BH release go out administration Docs related to managing general tenant configuration v9.0.0 labels Apr 1, 2026
@mintlify

mintlify Bot commented Apr 1, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
bloodhound 🟢 Ready View Preview Apr 1, 2026, 2:51 PM

@coderabbitai

coderabbitai Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1fb97a36-5fb9-41d3-a20b-0f16e2a518cd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

Documentation expanded to introduce and explain BloodHound Enterprise API key expiration feature, including new dedicated configuration page, updates to security overview, integration guides, and collector setup instructions. Terminology across docs updated from "API key/ID pair" to "non-personal API token."

Changes

Cohort / File(s) Summary
API Key Expiration Feature Documentation
docs/manage-bloodhound/auth/api-key-expiration.mdx, docs/snippets/auth/api-key-expiration.mdx, docs/get-started/security-boundaries/enterprise-security-overview.mdx
New comprehensive documentation page and shared snippet covering API key expiration controls, prerequisites, configuration steps, and manual rotation guidance. Enterprise security overview updated to detail expiration policies and defaults.
Authentication & Administration Pages
docs/manage-bloodhound/auth/overview.mdx, docs/manage-bloodhound/auth/users-and-roles.mdx, docs/analyze-data/configuration.mdx
Added API key expiration configuration card to auth overview, added Administrator-only capability row to roles table, and added expiration section to BloodHound configuration docs.
Collector Setup Documentation
docs/collect-data/enterprise-collection/create-collector.mdx, docs/install-data-collector/install-azurehound/create-configuration.mdx, docs/install-data-collector/install-sharphound/local-configuration.mdx
Embedded API key expiration snippet and clarified that authentication tokens must be saved immediately as they are displayed only once; added warnings about token regeneration if lost.
Core API Documentation
docs/integrations/bloodhound-api/working-with-api.mdx
Restructured to add API Explorer section, JWT authentication details, API key expiration subsection for Enterprise, and updated authentication workflow steps with reworded guidance from "API key/ID pair" to "API token" terminology.
Third-Party Integration Guides
docs/integrations/cortex-xsoar/configure.mdx, docs/integrations/service-now/security-incident-response/configure.mdx, docs/integrations/service-now/vulnerability-response/configure.mdx, docs/integrations/splunk/siem/install.mdx, docs/integrations/splunk/soar/configure.mdx
Updated prerequisites to require non-personal API token instead of API key/ID pair; added API key expiration snippet imports; updated credential links to point to new token documentation sections.
Reusable Documentation Snippets
docs/snippets/auth/copy-api-token.mdx, docs/snippets/integrations/servicenow-connect-bloodhound.mdx, docs/snippets/integrations/servicenow-create-user.mdx
Added note clarifying both authentication values are displayed only once and required for authentication; updated ServiceNow integration snippets to reference non-personal API token pair instead of API key/ID pair.
Navigation Structure
docs/docs.json
Added route entry for new API key expiration documentation page under Manage BloodHound → Authentication and Authorization navigation group.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 ✨ Hop along, dear BloodHound friends,
Your tokens now have expiration ends!
A ninety-day rotation takes the stage,
New docs light up each admin page,
So regenerate before they fade away! 🔄

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'BED-7559: API key expiration' accurately summarizes the main change—adding comprehensive documentation for API key expiration features across multiple docs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch BED-7559-api-key-exp

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Comment thread docs/manage-bloodhound/auth/api-key-expiration.mdx Outdated
Comment thread docs/manage-bloodhound/auth/api-key-expiration.mdx Outdated
Comment thread docs/manage-bloodhound/auth/api-key-expiration.mdx Outdated
Comment thread docs/manage-bloodhound/auth/api-key-expiration.mdx Outdated
description: Learn how to configure API key expiration in BloodHound Enterprise to enhance security and meet compliance requirements.
---

<img noZoom src="/assets/enterprise-edition-pill-tag.svg" alt="Applies to BloodHound Enterprise only" />

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: Confirm if BHE only

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should work in BHCE too. Even if we're not expecting many people to use it in BHCE

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed BHE-only flags

@jeff-matthews

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

♻️ Duplicate comments (1)
docs/manage-bloodhound/auth/api-key-expiration.mdx (1)

24-24: ⚠️ Potential issue | 🟠 Major

Resolve contradictory guidance on existing API keys.

This page currently says existing keys are both affected and unaffected after enabling expiration. That creates operational ambiguity for admins planning rotation and can lead to outages. Please make these statements consistent and reflect one verified behavior throughout the bullets, table, and step text.

Also applies to: 34-35, 58-62

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/manage-bloodhound/auth/api-key-expiration.mdx` at line 24, Pick the
verified system behavior (whether enabling API key expiration affects existing
API keys or not) and make the document consistent: update the sentence "After
enabling API key expiration, all existing API keys will be set to expire based
on the configured validity period." plus the other conflicting statements in the
bullets, table, and step text so they all state the same verified behavior,
remove or reword any sentence that contradicts it, and add a short clarifying
note about what admins must do for existing keys (e.g., rotation steps if they
are affected) to avoid ambiguity; ensure you change the sentence, the bullet
list entries, and the table/step descriptions referenced in this file so every
occurrence matches the chosen behavior.
🧹 Nitpick comments (3)
docs/snippets/integrations/servicenow-create-user.mdx (1)

7-7: Update related ServiceNow snippet for consistent terminology.

The change on line 7 correctly uses "non-personal API token pair", aligning with the PR's terminology standardization. However, servicenow-connect-bloodhound.mdx:77 still uses "token key and token ID" (though line 79 clarifies these refer to the "non-personal API token pair"). Since both snippets are used together in the ServiceNow integration workflow, update the related file to use "non-personal API token pair" consistently throughout.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/snippets/integrations/servicenow-create-user.mdx` at line 7, Replace the
inconsistent phrase "token key and token ID" in the related ServiceNow snippet
with "non-personal API token pair" so terminology matches the updated snippet;
locate the sentence(s) containing the exact string "token key and token ID" and
update them to use "non-personal API token pair" (keeping any clarifying
parentheses or examples intact) and ensure any subsequent references in that
snippet also use the same term.
docs/snippets/auth/api-key-expiration.mdx (1)

2-2: Broaden scope from integrations to integrations and collector clients.

This shared snippet is used in collector-client setup flows, so “integration configuration” is too narrow and can mislead readers in those contexts.

✏️ Proposed wording update
-  If a BloodHound Enterprise administrator has [configured API key expiration](/manage-bloodhound/auth/api-key-expiration), plan to regenerate API tokens and update the integration configuration before they expire to prevent disruptions.
+  If a BloodHound Enterprise administrator has [configured API key expiration](/manage-bloodhound/auth/api-key-expiration), plan to regenerate API tokens and update integration or collector client configuration before they expire to prevent disruptions.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/snippets/auth/api-key-expiration.mdx` at line 2, The sentence in the
shared snippet uses the narrow phrase "integration configuration" which can
mislead collector-client setup flows; update the wording to broaden the scope to
include collector clients (e.g., change "update the integration configuration"
to "update the integration configuration and collector client settings" or
similar) so the snippet applies to both integrations and collector clients while
preserving the rest of the sentence about regenerating API tokens before they
expire.
docs/integrations/splunk/siem/install.mdx (1)

95-95: Note: Same anchor inconsistency as Splunk SOAR.

This page also uses the singular anchor #non-personal-api-token. Ensure consistency with other integration docs and verify the anchor exists in the target page.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/integrations/splunk/siem/install.mdx` at line 95, The Note uses a
singular anchor
(/integrations/bloodhound-api/working-with-api#non-personal-api-token) which is
inconsistent with other integration docs; open the target page
(working-with-api) to confirm the canonical anchor (e.g., plural form like
`#non-personal-api-tokens`) and update the Note's link text to match that
canonical anchor, replacing the href in the Note element and verifying the
anchor actually exists on the target page so the link resolves correctly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/integrations/bloodhound-api/working-with-api.mdx`:
- Line 39: Remove the accidental trailing character 'å' from the bullet text "An
API token and token ID pair is generated in the Administration interface. API
tokens are primarily used for integrations and automation.å" in the docs content
by editing that sentence (e.g., in the string containing "An API token and token
ID pair is generated in the Administration interface...") so it ends with a
normal period and no stray characters.
- Line 39: The authentication summary in "authentication summary" currently
states API tokens are generated in Administration but later the "personal-token
flow" correctly references My Profile → API Key Management; update the summary
text to mention both creation paths (Administration interface for admin-issued
tokens and My Profile → API Key Management for personal API keys) and make the
same fix in the repeated paragraph around lines 107–113 so both locations
consistently describe both token-generation locations and their intended use.
- Around line 139-141: Replace the quoted key/value examples in the HTTP header
snippets with plain HTTP header format: change the snippet containing
"'Authorization': Bearer $JWT_TOKEN" to "Authorization: Bearer $JWT_TOKEN" and
similarly convert the block containing "'Authorization': bhesignature
$TOKEN_ID", "'RequestDate': $RFC3339_DATETIME", and "'Signature':
$BASE64ENCODED_HMAC_SIGNATURE" to plain lines "Authorization: bhesignature
$TOKEN_ID", "RequestDate: $RFC3339_DATETIME", and "Signature:
$BASE64ENCODED_HMAC_SIGNATURE"; make the same replacement for the other
occurrence of the bhesignature block referenced in the comment.

In `@docs/integrations/splunk/soar/configure.mdx`:
- Line 33: Update the broken anchor in the Markdown link by replacing the
singular fragment "#non-personal-api-token" with the plural
"#non-personal-api-tokens" in the link text "BloodHound Enterprise [non-personal
API
token](/integrations/bloodhound-api/working-with-api#non-personal-api-token)" so
it matches the target heading "Non-personal API tokens".

---

Duplicate comments:
In `@docs/manage-bloodhound/auth/api-key-expiration.mdx`:
- Line 24: Pick the verified system behavior (whether enabling API key
expiration affects existing API keys or not) and make the document consistent:
update the sentence "After enabling API key expiration, all existing API keys
will be set to expire based on the configured validity period." plus the other
conflicting statements in the bullets, table, and step text so they all state
the same verified behavior, remove or reword any sentence that contradicts it,
and add a short clarifying note about what admins must do for existing keys
(e.g., rotation steps if they are affected) to avoid ambiguity; ensure you
change the sentence, the bullet list entries, and the table/step descriptions
referenced in this file so every occurrence matches the chosen behavior.

---

Nitpick comments:
In `@docs/integrations/splunk/siem/install.mdx`:
- Line 95: The Note uses a singular anchor
(/integrations/bloodhound-api/working-with-api#non-personal-api-token) which is
inconsistent with other integration docs; open the target page
(working-with-api) to confirm the canonical anchor (e.g., plural form like
`#non-personal-api-tokens`) and update the Note's link text to match that
canonical anchor, replacing the href in the Note element and verifying the
anchor actually exists on the target page so the link resolves correctly.

In `@docs/snippets/auth/api-key-expiration.mdx`:
- Line 2: The sentence in the shared snippet uses the narrow phrase "integration
configuration" which can mislead collector-client setup flows; update the
wording to broaden the scope to include collector clients (e.g., change "update
the integration configuration" to "update the integration configuration and
collector client settings" or similar) so the snippet applies to both
integrations and collector clients while preserving the rest of the sentence
about regenerating API tokens before they expire.

In `@docs/snippets/integrations/servicenow-create-user.mdx`:
- Line 7: Replace the inconsistent phrase "token key and token ID" in the
related ServiceNow snippet with "non-personal API token pair" so terminology
matches the updated snippet; locate the sentence(s) containing the exact string
"token key and token ID" and update them to use "non-personal API token pair"
(keeping any clarifying parentheses or examples intact) and ensure any
subsequent references in that snippet also use the same term.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8cfc5c07-61b1-4efe-9e58-63013e0bf8a6

📥 Commits

Reviewing files that changed from the base of the PR and between 6fd25c9 and efd3258.

⛔ Files ignored due to path filters (10)
  • docs/assets/image1-1.png is excluded by !**/*.png
  • docs/assets/image1-2.png is excluded by !**/*.png
  • docs/assets/image1-3.png is excluded by !**/*.png
  • docs/assets/image1-5.png is excluded by !**/*.png
  • docs/assets/image1-6.png is excluded by !**/*.png
  • docs/assets/image1-7.png is excluded by !**/*.png
  • docs/images/admin/create-token.png is excluded by !**/*.png
  • docs/images/admin/enable-api-key-expiration.png is excluded by !**/*.png
  • docs/images/admin/generate-api-token.png is excluded by !**/*.png
  • docs/images/admin/regenerate-auth.png is excluded by !**/*.png
📒 Files selected for processing (19)
  • docs/analyze-data/configuration.mdx
  • docs/collect-data/enterprise-collection/create-collector.mdx
  • docs/docs.json
  • docs/get-started/security-boundaries/enterprise-security-overview.mdx
  • docs/install-data-collector/install-azurehound/create-configuration.mdx
  • docs/install-data-collector/install-sharphound/local-configuration.mdx
  • docs/integrations/bloodhound-api/working-with-api.mdx
  • docs/integrations/cortex-xsoar/configure.mdx
  • docs/integrations/service-now/security-incident-response/configure.mdx
  • docs/integrations/service-now/vulnerability-response/configure.mdx
  • docs/integrations/splunk/siem/install.mdx
  • docs/integrations/splunk/soar/configure.mdx
  • docs/manage-bloodhound/auth/api-key-expiration.mdx
  • docs/manage-bloodhound/auth/overview.mdx
  • docs/manage-bloodhound/auth/users-and-roles.mdx
  • docs/snippets/auth/api-key-expiration.mdx
  • docs/snippets/auth/copy-api-token.mdx
  • docs/snippets/integrations/servicenow-connect-bloodhound.mdx
  • docs/snippets/integrations/servicenow-create-user.mdx

Comment thread docs/integrations/bloodhound-api/working-with-api.mdx Outdated
Comment thread docs/integrations/bloodhound-api/working-with-api.mdx Outdated
Comment thread docs/integrations/splunk/soar/configure.mdx Outdated

@Scoubi Scoubi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments, some are repetitive, to make sure it's updated through out.

Comment thread docs/collect-data/enterprise-collection/create-collector.mdx Outdated
Comment thread docs/get-started/security-boundaries/enterprise-security-overview.mdx Outdated
Comment thread docs/integrations/bloodhound-api/working-with-api.mdx Outdated
| Rotation period changes | Each token keeps the earlier of its current expiration and now + configured days. |
| Feature disabled | Expiration enforcement stops immediately, expiration dates are cleared, and tokens no longer expire. |

To enable and configure API key expiration:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In BHE, users can't enable this (now)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BHE Customers need to ask their TAM to enable this (for now)

Comment thread docs/manage-bloodhound/auth/api-key-expiration.mdx Outdated
Comment thread docs/manage-bloodhound/auth/api-key-expiration.mdx Outdated
Comment thread docs/manage-bloodhound/auth/api-key-expiration.mdx Outdated
Comment thread docs/manage-bloodhound/auth/api-key-expiration.mdx Outdated
@jeff-matthews jeff-matthews changed the base branch from main to release/v9.0.0 April 2, 2026 13:19

@Scoubi Scoubi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small changes

| Rotation period changes | Each token keeps the earlier of its current expiration and now + configured days. |
| Feature disabled | Expiration enforcement stops immediately, expiration dates are cleared, and tokens no longer expire. |

To enable and configure API key expiration:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BHE Customers need to ask their TAM to enable this (for now)

Administrators can [configure expiration](/manage-bloodhound/auth/api-key-expiration) for all API keys in BloodHound Enterprise. This setting helps reduce long-lived credentials and supports internal compliance requirements.

* New API keys expire after 90 days by default.
* New API keys expire after 365 days by default.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will put 90 days for now as we can't change the number of days (the change was not deemed important enough)
So we'll put 90 days everywhere here and change it later.

@jeff-matthews jeff-matthews merged commit 3fdd93e into release/v9.0.0 Apr 9, 2026
3 checks passed
@jeff-matthews jeff-matthews deleted the BED-7559-api-key-exp branch April 9, 2026 20:34
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 9, 2026
@jeff-matthews jeff-matthews restored the BED-7559-api-key-exp branch April 10, 2026 13:59
@jeff-matthews

Copy link
Copy Markdown
Contributor Author

Reverted and re-created PR for a future release. See #262.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

administration Docs related to managing general tenant configuration next release Should be merged as the next BH release go out

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants