Token Management / InfoSec


we’re trying to combine data from our Fibery from other sources (eg log data) for some analysis tasks. We’re struggling to find a way to manage the API tokens that aligns with how we want to secure access.

We have two workflows:

  1. scripts that automatically run overnight to build standard reports in our k8s
  2. scripts that we run on our local machines to generate ad hoc analysis

For 1) we’d really like to have an organisation level token rather than a token associated with an individual. Ideally any workspace admin would be able to manage the credentials used in these reports, however currently only the individual that obtained the token can do that.

For 2), we’d really like the access for ad hoc analysis to be behind 2 factor authentication. While you need 2fa to get a token (we’re using oauth to sign in via the browser), once you have a token it becomes 1 factor as all you need is that token, and the token is long lived. We have addressed this issue with other services by forcing the ad hoc tokens to expire after a short period (eg 24 hours). either by having a service that uses an organisational level token to issue and revoke credentials, or, by configuring the service to only give temporary credentials.

Do you have anything in the pipeline for the above?