As part of the Company Dashboard available in the Enterprise Network plan, Company Administrators have a section called "API Keys" where they can manage MURAL API keys to perform company-level actions.
Company Administrators can 1) create or 2) revoke API keys to perform Machine to Machine Authentication (M2M). API keys are never stored in MURAL systems.
Creating API Keys
Company Administrators can generate API keys on demand when they access the "API Keys" section in the Company Dashboard.
Currently, API keys are only for MURAL's Deprovisioning API, but in the future, you will be able to create keys for other APIs as well.
When the Company Administrator clicks on “Create API Key,” a prompt will appear that explains the key works for suspending and unsuspending MURAL accounts. This is the only time the API key will be visible in the Company Dashboard, so it should be copied and stored accordingly. API keys are never stored in MURAL systems.
By not storing API keys in our systems, we are providing the highest level of security to Company Administrators and Enterprise Network customers. There is no risk of anyone accessing your API keys through MURAL. If there are multiple Company Administrators, they will each need to make their own API keys for different scopes.
Once a key is created, it will be listed in the Company Dashboard and never stored or displayed in full. You will see the first four and last four characters of the key to help with identification when multiple keys are created. The listed keys are active and can be used in their different scopes.
Note: There is no authentication flow, such as OAuth, to obtain API keys since there is no need to perform actions on a user's behalf.
Revoking API Keys
If an API key needs to be revoked for internal security policies or standards, or if there's a security breach, the Company Administrator can do so in the Company Dashboard.
In order to revoke a key, a Company Administrator will need to identify the exact key by following the prompts and then clicking on "Revoke API Key." Once a key is revoked, it can't be used to make further requests to MURAL APIs.
Once the Company Administrator revokes access, that specific API key will no longer be valid and will need to be replaced by a new key in the integrations where it was in use.
API key management is accessible to Company Administrators as part of the Company Dashboard in the Enterprise Network plan. You can access API key management by clicking on your avatar in the lower left hand corner and selecting, "Company Dashboard."