How to use API Keys

Comments

30 comments

  • Avatar
    Dave .

    "When you use API Keys, you'll no longer be able to access the API with just your username and password"

    ----------------

     

    ......and this means that you cannot use API keys and also have Business Insights or Zapier running on your GoCanvas account

     

    GoCanvas requires users to chose between having API keys activated and using Business Insights/Zapier.

     

    1
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    That's true for now. We're looking into fixing that and I will update here when I know more. 

    0
    Comment actions Permalink
  • Avatar
    Dave .

    Whats the likely time-line to seeing a fix?

     

    0
    Comment actions Permalink
  • Avatar
    Dave .

    Hi Sara - do you have a time frame for this?

     

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hi Dave,

    I don't have a time frame, but it is actively and intensely being worked on. The goal is to get it out ASAP. I'll let you know when I hear about an ETA. 

    0
    Comment actions Permalink
  • Avatar
    Dave .

    Is there any more news on this one?

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hey Dave,

    The BI fix will be out this month - it's being tested right now. I'm waiting on an answer about the Zapier timeline and will report back. 

    0
    Comment actions Permalink
  • Avatar
    Dhruvit Patel

    What is API endpoint? How can I use this api_key in Python code?

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hi Dhruvit,

    An endpoint is one end of an API communication channel, which usually ends up being a URL. Here's a nice definition from stack overflow: 

    An endpoint is the 'connection point' of a service, tool, or application accessed over a network. In the world of software, any software application that is running and "listening" for connections uses an endpoint as the "front door." When you want to connect to the application/service/tool to exchange data you connect to its endpoint. 

    So you'd point something in python to the GoCanvas endpoint in order to pull data from the system. Hope that helps!

    0
    Comment actions Permalink
  • Avatar
    Dave .

    Hi Sara,

    The API / Username / Password fix must be ready to go live?   Any updates you can share?

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hey Dave,

    The new version of Business Insights is ready, but hasn't officially been released. I can send that to you directly if you'd like, while we wait for the download link to be updated. The Zapier fix is still in the works, and I'm trying to get a timeline on that. 

    0
    Comment actions Permalink
  • Avatar
    Dave .

    Yes, that would be good as well as any documentation that goes with it.

    0
    Comment actions Permalink
  • Avatar
    Dave .

    HI Sara  - just checking in on this one again.  Have not received anything.

     

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hey Dave, just sent it again - it should come through looking like a support ticket. Let me know if you're not seeing it still. Thanks!

    0
    Comment actions Permalink
  • Avatar
    Dave .

    Have downloaded and briefly had a look at the new Business Insights plugin for excel that was part of the GoCanvas API fix.

     

    From what I can see it works in the following way:

     

    1. If API Keys not activated on GoCanvas menu
      1. User logs in with username and password via excel

     

    1. If API Keys is activated on GoCanvas Menu
      1. User logs in with username and API Keys via excel

     

     

    Surprised to see the improvement was to make an API key necessary in excel rather than making a change on the GoCanvas end to allow both methods access. 


    Struggling to see an efficient process for how we hand out and manage security of API keys.    Be interested to  get GoCanvas thoughts on how you see this being managed. 

    0
    Comment actions Permalink
  • Avatar
    Dave .

    Sara - Did you have a chance to have a look at this one?

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hey Dave, sorry for the lack of reply. I'm checking with a colleague on if what you described is the expected functionality and will report back. 

    0
    Comment actions Permalink
  • Avatar
    Dave .

    Hi Sara - any more news on this one?

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hey Dave,

    I've been told that what you've described is the expected behavior. As you said, once you have API keys activated, that's the only way to access things that rely on the API (which both Business Insights and Zapier do). I do realize this makes things tough if multiple people are trying to use Business Insights. I'd recommend having one person have ownership over who gets/needs an API key and try to limit that as much as possible. I'd also make sure to be very precise with naming the keys, to reduce confusion and make it easier to maintain. I'll keep poking around about this, but I do think it's unlikely we'll have a hybrid solution coming soon. 

    0
    Comment actions Permalink
  • Avatar
    Dave .

    I really hope this is being escalated in your business.   Even if we were to go to the effort of maintaining  a system that issues an API key per user needing excel access and as you put use “very precise with naming the keys” there is a significant security risk.

    I don’t feel I should need to explain this to GoCanvas but the fact that I’m not getting  response in Australia to my emails and the delays and gaps with what is being written here suggests it is not understood.   

    When an API key is issued in GoCanvas it is essentially  a common password for all users with access.   If someone has the api key they need only have a guess at an email address that has that access and they now pull down ever record, upload etc.

    If departments are activated it may be contained to a department otherwise it is across the business.  

    Is there anyone in GoCanvas I can follow this up with?   

     

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    You're welcome to put in a feature request (I know you had one for using API keys with BI and Zapier, but this is more specific so I'd either amend that one or put in a new one) or surface it with your Account Manager.

    The challenge is that this combination of feature usage - API keys and multiple users needing to access Business Insights - is incredibly uncommon. I will bring it up again with the product manager who oversees integrations, but I can't make any promises that this is something that will be addressed. He's on vacation, but I'll connect with him when he's back in the office. 

    I do apologize for the bigger gaps here. That's on my team, and we'll work on improving responses in the Help Center. 

    Replies here won't generally come during AU hours, however, as the Help Center and Community are maintained by a US-based team separate from Support. We do have a Support Team in Australia, so you'll get answers to tickets in AU business hours, but not responses to posts here (unless we can't sleep). 

    0
    Comment actions Permalink
  • Avatar
    Dave .

    The gap here isn’t that GoCanvas isn’t responding in AU business hours it’s that responses don’t come in days, weeks and in some instance months and that I need to keep prompting again and again.  If you look back at the posts the times and dates support this.   This will be seen throughout any number of other posts for myself and others.

    This issue we are talking about has been raised at length locally with account management without result.  

    If it is  necessary for me to raise another feature request I can do that for you.   This will be for the exact same issue though. 

    Regarding the the comment that API Keys and multiple users needing access Business Insights is incredibly uncommon......   I would suggest that this is because the current offering of business insights and API keys means that not only would make this be uncommon but it is impossible by design.  

     

    Given this manager is on vacation is there someone else in the business this issue can be referred to?

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hi Dave,

    As I said, I will take it up with the product owner when he returns, and I have escalated it to his team in the meantime. I don't think we're likely to make adjustments to the way this works, but I will talk through what you're encountering and hopefully be able to provide a more technical explanation as to why we've gone this route sometime next week. 

    The use case isn't limited because the functionality isn't there, but rather that we have a very small group of users who have implemented API keys, and a small group of users using Business Insights (which gets even smaller if you're talking about multiple users having access to the tool), and so the potential for overlap is therefore even smaller. 

    With regards to the long periods of no response, that's simply because there's nothing to report. If a request is chosen for development and gets to the point where we're ready to talk about it publicly, the post will get updated. Until then, you can assume that they aren't actively being worked on or are far enough out to not merit an update. 

     

    0
    Comment actions Permalink
  • Avatar
    Sara Kaplow, Community Manager

    Hi Dave,

    I wanted to follow up here. I brought some folks together internally to try to understand why we implemented API keys this way and what our technical folks would recommend for your use case. Here's what we came to: 

    1. We initially built API keys based on specific requirements from one of our customers, which we then validated with other customer interviews. No one else that we talked to during the requirements-gathering process needed to use both API keys and username/password, which is why we limited the scope to using just the webservices API, not API in combination with either Zapier or Business Insights.

    2. As for what they recommend, it basically came down to either managing API keys or not using the feature. One thing we had users do before API keys was use a single username and password on the account for API access. So instead of connecting the API using an actual person's account (which can cause issues with security, people changing their passwords, etc.), we can create a free user on your account that can specifically be used for the API hookup. Then you can continue using BI and have a less fragile API setup without using API keys. Let me know if you're interested in that. 

    Thanks,

    Sara

    0
    Comment actions Permalink
  • Avatar
    Raj Periyasamy

    Hi Sara,

     

    Hope you are doing well , I just recently got access in canvas , iam doing an API call in Python with JSON dict, do you have a documentation for that? Atleast an example of get response.

    0
    Comment actions Permalink
  • Avatar
    Raj Periyasamy

    Hi Chip,

     

    Hope you are doing well, i already posted on the community page , i need an example of a  screenshot of how to have the url in python with API, confused with the username and where o provide. Your help will be highly appreciated as iam trying to do an API call and create a dataframe for analysis and comparing with other Database we are using with.

     

    Regards,

    Raj.

    0
    Comment actions Permalink
  • Avatar
    Chip Phillips, Community Manager

    Howdy Raj,

    Thank you for sharing this feedback in the Community! I reached out to our Engineering team on this matter. They shared that we don't return JSON to any API calls, only XML.

    You will need to send a header in their request using the key value pair Authorization : [API Key]. As far as how to send a header, or how to structure an API call using Python to reach one of our API endpoints, we don't have any screenshots or examples available.

    Hopefully other users in the Community have examples or screenshots they can share on your Community post here.

    0
    Comment actions Permalink
  • Avatar
    Chris Crowley

    It would be great if we could use both the username/password API requests and the API key requests at the same time. We have dozens of apps syncing data and there is no way to switch all of them over to the API keys at once. An API key for authentication seems like the better, more industry standard approach, but because of this limitation it seems impossible to migrate to it without serious headaches.

    2
    Comment actions Permalink
  • Avatar
    Tim Wells

    It needs to be possible to do both at the same time.  Ideally once the API key is enabled, there would be another option to disable to the username/password once all of the programs using the API have been updated.

    It would also be easier to switch to the API key if it worked as query string parameters like the username and password method does.  Putting the key in the headers and the username in the body requires additional programming to modify the interfaces.

    I would like to switch to the API key, but have not because there is no way to test it without interrupting the current interfaces, and it is more complicated due to the header and body requirements.

    It would not be as bad that the username and password method stops working if it used query string parameters, because it would be a simple change to the URL.

    1
    Comment actions Permalink
  • Avatar
    Kevin Willis

    Please implement this change.  Need both API and username/password. Paying a lot of money for the service and the loops we need to jump through to get the data back are crazy

    1
    Comment actions Permalink

Please sign in to leave a comment.