Generate a service access key

As illustrated in Access keys, some of the SBS services require a service access key (SAK).

To generate a service access key, the following prerequisites must be in place:

  • the application for which you are generating the key must exist.
  • the tenant for which you are generating the key must exist.

When generating the key, you can optionally set the following properties:

  • scope - Restricts the scope of the key. The default value is an empty string, which means access to all services is granted. See Restrict access to services for more information.
  • description - Provides a text description that helps you easier identify the key.

You can generate a service access key either from the graphical user interface of the SBS Console (Web UI), or programmatically from GraphQL.

Web UI

To generate a service access key through the Web UI:

  1. Sign in to the SBS Console.

  2. Click the WebUI tab.

  3. In the left-hand side navigation menu, click Tenants.

  4. Click the tenant for which you would like to generate the key.

  5. Click the Add Add Button button in the top-right corner of the service access keys table. A dialog box appears.

  6. Under Applications, select the application for which you are generating the key.

  7. Optionally, enter a key description.

  8. Under Scope, enter the extent of permissions available to the bearer of this key. For details, see Scope editor. Note that, if you leave the scope unset, the key bearer will be granted full access to all APIs that require a tenant-level security access key (for the selected app and tenant).

    Generate service access key dialog box

  9. Click Generate Service Access Key. The key is generated and the dialog box remains open.

  10. Click Show Secret Key and copy the private key value. You can now use this value in the x-api-key header when accessing a relevant SBS service.

    Generate service access key dialog box

GraphQL

To generate a service access key from GraphQL:

  1. Sign in to the SBS Console and click the GraphQL tab. Alternatively, access the Account API programmatically from your own GraphQL development environment.
  2. Run the following mutation:
mutation generate_sak($appId: ID!, $tenantId: ID!, $active: Boolean, $description: String, $scope: Scope) {
  generateServiceAccessKey(
    input: {appId: $appId, tenantId: $tenantId, active: $active, description: $description, scope: $scope}
  ) {
    privateKey
  }
}

In the variables, make sure to replace the example values below with the ones you actually require:

  • appId - The unique identifier of the application for which you are generating this key. To view all applications and their details, run the apps query first.
  • tenantId - The unique identifier of the tenant for which you are generating this key. To view all tenants and their details, run the tenants query first.
  • scope - Restricts the scope of the key to specific services only, or to even to specific queries and mutations of a service. This is also optional. Bear in mind, however, that an empty scope means that access to all queries and mutations of all services is granted. When multiple scope strings exists, they must be separated by space characters. For more information about the syntax rules, see Restrict access to services.
  • description - An optional text description that will help you easier identify the key later.
{
  "appId": "YOUR_APPLICATION_ID",
  "tenantId": "YOUR_TENANT_ID",
  "description": "",
  "scope": ""
}

The privateKey field in the returned response contains the generated key.

Read more

Managing tenants Deny service access