Subscribe to this blog to receive periodic product release announcements for developers and tips and tricks for using API.

Keep It Secret, Keep It Safe!

We are excited to see more and more people asking questions and sharing feedback in the SKY API Community!  All this growth and activity means it is a great time to post some security-related best practices and reminders.
 
Today I’d like to talk about posting questions and screenshots.
 
When working with SKY API, there are three sensitive values that shouldn't be posted in screen shots or in the question text:
 
1. Your application secret
 
When you register an application, we assign a pair of values that uniquely identify your application.  In the OAuth 2.0 vernacular and spec, these values are known as "client ID" and "client secret".  Within the SKY API documentation, we generally refer to these values as "application ID" and "application secret" (the term "client" is already heavily overloaded in the tech world!).  The application ID is not considered a sensitive value, but the application secret is considered top secret (hence the name!) and shouldn't be shared with anyone!
 
These values are used when exchanging short-lived authorization codes for longer-lived access tokens and refresh tokens...they allow your application to make calls to the SKY API!

If you feel your application's secret has been compromised, you can regenerate it within the developer portal on the My Applications page.  Be sure to update your application settings or code with the new secret.

2. Your SKY API subscription key
 
When you request a subscription to the SKY API, we provide you with two subscription keys (labelled "primary" and "secondary" in the portal.  Both keys are equally functional - we provide two keys to support a rotation strategy on your end.
 
When you call the SKY API, you must include your subscription key (either primary or secondary) as the value of the bb-api-subscription-key header.  Similar to the application secret, this value is considered sensitive and should not be shared with anyone!  Treat it like a password, and if you believe either key has been compromised you can regenerate them within the developer portal on the My Profile page.
 
3. Your access token
 
The access token that you receive (either within your application or within the SKY API Console application) is tied to the consenting user's account and organization.  It represents a Blackbaud customer's permission to access their data (on behalf of the consenting user), and is included as the value of the Authorization request header when making calls to the SKY API.
 
As with your application secret and subscription keys, the access token itself is a very sensitive value that should not be shared with anyone else!  The token itself is considered an opaque value that will expire after a short amount of time (refresh-able if you're using the authorization code flow).
 
In Summary
 
Together, these three sensitive values permit your application to call the SKY API to access customer data - be sure to handle them appropriately!
Posted by Ben Lambert on May 8, 2017 11:30 AM America/New_York