Generate an account access key

An account access key (AAK) provides access to the Account API. When creating the key, you can optionally provide a scope. The scope restricts the key’s access only to particular queries and mutations of the Account API.

Although scope is optional, it is strongly recommended to provide one that is as restrictive or as permissive as required by your business case. An empty (not set) scope means that the key bearer will have access to all queries and mutations of the Account API.

You can generate an account access key either from the graphical user interface of the SBS Console (Web UI), or programmatically from GraphQL.

Web UI

Sign in to the SBS Console and click the WebUI tab if it’s not already selected.
In the left-hand side navigation menu, click Account Access Keys.
Click the New Account Access Key button in the top-right corner of the page. A dialog box appears.
Optionally, enter a description.
Under Scope, enter the extent of permissions that should be available to the bearer of the key. For details, see Scope editor. Note that, if you leave the scope unset, the key bearer will be granted full access to the Account API (and implicitly to all the actions available in the SBS Console).
Click Add. The key is generated and the dialog box remains open.
Click View Secret Key and copy the private key value. You can now use this value in the x-api-key header when accessing a relevant SBS service.

GraphQL

To generate an account access key from GraphQL:

Sign in to the SBS Console and click the GraphQL tab. Alternatively, access the Account API programmatically from your own GraphQL development environment.
Run the following mutation:

mutation generateAAK($input:GenerateAccountAccessKeyInput!) {
  generateAccountAccessKey(input:$input) {
    publicKey
    privateKey
    scope
    description
  }
}

In the variables, make sure to set the scope as required by your case. The example scope illustrated in the code listing below grants access to all queries and all mutations of the Account API. It is strongly recommended to restrict the scope only to mutations and queries relevant for the bearer of the key. For more information, see Restrict access to services.

{
  "input": {
    "scope": "account-api:query:* account-api:mutation:*"
	}
}

Each scope sub-string must begin with account-api. The following is an example of a valid scope: account-api:query:apps account-api:mutation:createApp.

The privateKey field in the returned response contains the generated key.

Restrict access to services Portal users

Generate an account access key

Web UI

GraphQL

Read more