Follow
Managing API Keys for the Workfront System

***

In order to minimize API security vulnerabilities, system administrators can manage the API Keys used to enable applications to access Workfront on behalf of a user.

You can reset or remove your current administrator API Key, configure API Keys to expire, and remove the API Keys for all users.

Examples of applications that leverage the Workfront API are:

  • Document integrations such as Dropbox, Google Drive, and Workfront DAM

  • Workfront mobile applications

IMPORTANT: When resetting or removing an API Key, any application that leverages the Workfront API and authenticates to Workfront via this API Key must be re-configured in order to regain access to Workfront.

Understanding Workfront API Keys

Each user in Workfront has a unique API Key. This key is generated on a per-user basis at the time the user accesses an integration that leverages the Workfront API (such as the Workfront mobile app or a document integration).

NOTE API Keys you generate in the production environment are copied to your Preview environment during the weekly refresh. Any API Keys you generate in the Preview environment will be overwritten with your production API Keys during the weekly refresh.

Workfront system administrators also have a unique API Key. When an application uses an administrator API Key to access Workfront, the application has administrator access to Workfront.

Managing an Administrator API Key

You can generate, reset, or remove the API Key for your administrator user account. 

NOTE You can also generate an API Key through the API. For more information, see the "Event Subscription Authentication" section in "Event Subscription API."

  1. Click Setup in the Global Navigation Bar.


     
  2. Expand System, then click Customer Info.


  3. (Conditional) Perform one of the following actions:
    To generate an API Key: In the API Key Settings section, click Generate API Key.
    Or
    To reset an API Key: In the API Key Settings section, click Reset, then Reset.
    Or
    To remove the API Key: In the API Key Settings section, click Remove, then Remove

Generating an API Key for Non-Admin Users

You can generate and manage API Keys for users in roles other than system administrator.

  1. (Conditional) If your organization uses Single Sign-On (SSO) access management, temporarily disable the option requiring SSO authentication.
    1. Click Setup on the Global Navigation Bar.
    2. Expand System, then click Single Sign-on (SSO).
    3. Uncheck the checkbox requiring SSO authentication.
      For example, if your organization uses SAML 2.0, then un-check the checkbox for "Only Allow SAML 2.0 Authentication."
  2. In the address bar of a browser, enter the following API call:
    <domain>.my.workfront.com/attask/api/v7.0/user?action=generateApiKey&username=username&password=password&method=PUT
    Replace <domain> with your Workfront domain name, and username and password with the user's Workfront credentials.
  3. (Conditional) Enable the option requiring SSO authentication if you disabled it in Step 1.
    1. Click Setup on the Global Navigation Bar.
    2. Expand System, then click Single Sign-on (SSO).
    3. Check the checkbox requiring SSO authentication.

Configuring When API Keys Expire

You can configure API Keys to expire for all users in your system. When the API Key of a user expires, the user must re-authenticate to any applications that use the Workfront API to access Workfront. You can change the frequency with which the API Keys expire. You can also configure whether API Keys expire when the password of a user expires.

  1. Navigate to the Setup area of the Global Navigation Bar.
  2. Expand System, then click Customer Info.
     
  3. In the API Key Settings area, in the After creation, API keys expire in drop-down list, select the timeframe when you want the API keys to expire.
    When you change this option, the new timeframe begins from the time that you made the change. For example, if you change this option from 1 month to 6 months, the API Keys expire 6 months from the time you make the change.
    By default, API Keys expire each month.
  4. To configure API Keys to expire at the time the users' passwords expire, select Remove API key when a user's password expires.
    By default, this option is not selected.
    For information about how to configure user passwords to expire, see "Configuring System Security Preferences." 
  5. Click Save.

Removing the API Keys for All Users

If you are concerned about a particular security breach regarding your Workfront system, you can remove API Keys simultaneously for all users.

IMPORTANT Removing API Keys for all users invalidates ALL of the API Keys for all the users in the system. This action will cause all of your integrations in Workfront to fail until you generate a new API Key in Workfront and update all your integrations.

  1. Click Setup in the upper-right corner of the Workfront interface.


     
  2. Expand System, then click Customer Info.


     
  3. In the API Key Settings area, click Remove all API keys, then click Remove All.

Securing Outgoing API Calls with an X.509 Certificate

You can leverage the Workfront API to communicate with third-party applications. To increase the security of your Workfront site, you can configure Workfront to allow only trusted third-party applications to integrate with Workfront by uploading an X.509 certificate to Workfront. 

Obtaining the X.509 Certificate

Obtain a valid X.509 certificate from a trusted Certificate Authority (such as Verisign), and place it in a temporary location on your workstation. 

Uploading the Certificate to Workfront

After you have obtained the X.509 certificate from your Certificate Authority, you need to upload it to Workfront.

  1. Click Setup in the upper-right corner of the Workfront interface.


     
  2. Expand System, then click Customer Info.
  3. In the API Key Settings area, select Enable X.509 Certificate.
  4. On your workstation, browse to and select the X.509 certificate that you previously downloaded.
  5. (Optional) Click View Details next to the certificate name to view the following details about the certificate:
    • Subject Common Name
    • Subject Organization
    • Subject Organization Unit
    • Issuer Common Name
    • Issuer Organization
    • Issuer Organization Unit
    • Serial Number
    • Issue Date
    • Expiration Date
  6. Click Save

 ***DON'T DELETE, DRAFT OR HIDE THIS ARTICLE. IT IS LINKED TO THE PRODUCT, THROUGH THE CONTEXT SENSITIVE HELP LINKS. **

 

This article last updated on 2018-03-14 15:32:12 UTC