API Keys
API keys allow full access to your account, just like an email address / password combination. However you can create any number of them and each one can be invalidated individually at any moment.
Using an API Key means you can use the reflow CLI without logging in. This enables you to run reflow in a fully-automated fashion, for example as part of your Continuous Integration suite.
This feature is only available to teams with an active AWS Marketplace subscription. Please contact support if you need help upgrading.
Generate a new API Key
To generate an API Key, you need to be logged in to your account. View the Account UI via selecting your name in the top-right corner. Once here, one of the available tabs is "API Keys"
Here you can see a list of API keys generated, when they were last used, and the number of times they have been used. You can revoke an API key by selecting the Bin icon on the right hand side.
To generate a new API key, click the "Create New API Key" button.
You must name the API key. This can be anything you want, and will only be used to identify it in the table below.
On generation, you will be shown both the key, and a download button to save it to your computer. The key is not stored on the server, and cannot be rederived. If you lose your key, revoke it and generate a new one.
Use the API Key
The Reflow CLI can be passed an API key file using the -k
parameter. Alternatively, when not passed in, the reflow CLI will attempt to search for the API key in two locations, before failing over to login authentication:
- At the root of the current working directory's git repository. E.g. if your application in stored in
mygitroot/myapp/package.json
, and the CLI is invoked via an npm script in thatpackage.json
, the reflow cli will first look inmygitroot/reflow.key
- At
$HOME/.reflow/api.key
Access Rights
Having a Reflow API key grants full access to the user account that it was generated with. As such, it must be kept a secret.
Any utilisation of the API key will be logged against the user's account that the API key was generated with.
In a CI/CD usecase, it is recommended to use the API key with a service account, that has only Edit rights to the team.
It is recommended to not check in any personal API keys to git. A .gitignore
rule on reflow.key
can help avoid this.