Our journey with API Keys

At Mambu, when we initially began using APIs, basic authentication (username and password) was considered a reliable method for authentication. However, as technology advanced and the demand for enhanced security grew, basic authentication became outdated. Nowadays, most technology companies have phased out support for username/password authentication and have transitioned to more secure and up-to-date solutions.

Most API Gateway vendors support the same core set of API security mechanisms with API Keys and OAuth 2.0 standing out as the most prominent choices for authentication and authorisation. Over the last few years, we’ve been working on our APIs. We wanted to share what we’ve learnt implementing a more powerful security model through a custom implementation on top of API Keys. We will explain our choices and share best practices.

How we chose the best authentication method for our needs

Our journey with API Keys began a few years ago. At the time it was the best solution for our needs as a Cloud Banking Platform and the needs of our customers. The reason was, API Keys are very simple to use from the consumer perspective:

Customers get an API Key from Mambu
They add the key to an Authorisation header
They call the API

It can’t get simpler than that.

Also, in our case, we were looking to cover one main use case which is to authenticate and authorise application-to-application interaction within a private perimeter. And with OAuth 2.0 being primarily designed for ‘non-developer’ users, who frequently need to access public-facing APIs to expose data towards end-users’ mobile or web applications, the choice was simple.

Secure use of API Keys

We have introduced the below options to provide our customers with means to leverage our API Key with an extra layer of protection.

API Consumers: a client-like abstraction layer on top of API Keys. Simply put, API consumers are API clients for system to system authentication (developers, partners, mobile apps). They allow our customers to generate API Keys and configure authorisations based on the roles and permissions assigned to each API Consumer. Our API Keys inherit the scope of access settings from the API consumer that creates them and our implementation also comes with added functionality to address the risks associated with key management.
Role-based access control: customers can apply flexible role-based access control to all API endpoints. They gain full control to determine who has access to API Consumers, how and when API Keys are generated and expire, when to rotate keys, etc.
Ability to set a specific time to live (TTL): With Mambu, users can set an automatic expiration time for any API Key they create.
Secure Key Rotation: API Keys can be easily rotated when needed using a secret key. Replacement keys are re-issued securely and customers can configure an adequate TTL.
API Key Hashing: keys are stored with encryption at rest and are hashed for additional security, ensuring they are never stored or transmitted in plain text.
Audit Trail: With our Audit Trail solution, we keep a log of all the API Consumers and API Key activities.
IP Blocking: Mambu automatically blocks any IP address that issues a total of 10 requests using invalid credentials. Key rotation and expiration dates also contribute to reducing security risks.

API Keys best practices

Setting expiration time

Ideally you should add an expiration time to each API Key you create. The recommended TTL (Time To Live) depends on your specific use and security requirements. You can set the expiration time for each API Key you create either via the Mambu UI or APIs.

As best practice, you should change/rotate your API Keys at least once a year or right after any attack attempt.

Key rotation with secret keys

API Key rotation allows you to invalidate specific API Keys using a secret key for authentication. When a key is rotated via our api-consumers-rotatekey endpoint, you will immediately receive a replacement API Key and a new secret key in the response body.

As best practice, we recommend also using the Automatic Expiry of API Consumer Key from Access Preferences. This way, if you forget to specify an expiration time for the replacement key in the rotation request, the key will expire in the TTL set through Automatic Expiry of the API Consumer Key which overrides the TTL set via API call, ensuring you won’t end up with keys that never expire.

If you want to learn more about how you can set expiration time, rotate keys and generate secret keys, please see our support documentation API Keys.

API Key Hashing

In order to further enhance protection, API Keys are stored through an encryption process, through our API Key management systems, in compliance with the highest security standards.

What’s next for Mambu API Keys & Consumers

At Mambu, we feel confident in our custom implementation of API Keys and API Consumers and we are continuously making improvements to keep up with market standards while being proactive with identifying and staying ahead of evolving customer needs. Over the course of next year, we are planning to add new capabilities to our API Authentication & Authorisation solution to further bolster security.