Imposing more control over Statuspage API keys

As incident communication teams grow larger, Statuspage admins are often interested in restricting page permissions at the user level. These permissions include the ability to manage status pages, post or update incidents, or develop custom integrations.

Historically, all Statuspage users have had full access to all of these features - however, this level of access can become a risk for organizations with dozens, or even hundreds, of team members. We are committed to introducing more role-based access control (RBAC) features this year for Statuspage admins to solve this problem.

API keys are migrating to account owner control

As a first step, we are changing the way API keys are distributed and managed inside the product – so that account owners are in full control.

Today, every user has their own individual API key with full read/write access, which can be found on the API info page (in your user menu when you click your avatar). Any team member can use their key to manage the status page externally (risk of unauthorized use).

In addition, if a team member account is removed by admin and their individual key has been used for a custom integration – the key is no longer active and the integration may break.

Starting February 2020, all API keys will migrate to the organization level – so only account owners have access to them. Other users will still be able to find supporting information on the API info page, but they will need to request an API key from the account owner.

After the migration, all existing API keys will remain functional, to ensure all custom integrations work without any interruptions. The only change is that they API keys will no longer “belong” to individual users, but to a Statuspage account as a whole.

We’ll be also adding some helpful tools to identify actively used API keys (“last used”), create additional keys, or remove unused ones.

- - - - -

If you have any questions, contact Statuspage support here.