Improved API Security with Scoped Access Tokens

The DNSimple team has recieved requests from many of our users looking to automate their certificate management, without compromising the security of their mission-critical domains. We loved the idea, so we implemented it.

We're releasing scoped access tokens, a feature that lets teams and enterprises use more secure access tokens. With this feature, you'll be able to set the restrictions for each token, securing your company's digital assets. Available on the Teams plan and higher.

We're also introducing access token prefixes – a way to easily see meta-data about the token. The primary benefit of this is secret scanning, so you can easily find any sensitive information in your source code and improve the security of your repositories.

In this post, we'll talk more about this feature, go over how to manage your API Access Tokens in DNSimple, best practices for maintaining your tokens, and how this all ties into our new Domain Control Plane — a way for you to gain unprecedented visibility and control into even the most complex domain portfolios, including resources hosted outside DNSimple's infrastructure.

Scoped Access tokens and the Domain Control Plane

If you're using our Domain Control Plane to manage your DNS or domains, many aspects of it require access tokens to interact with our API (e.g. Terraform). Scoped access tokens let you link your domains without having to give third parties access to your entire account.

Access tokens allow third party tools to talk to DNSimple's API. They tell it that the bearer has authorization to access the API and perform actions specified by the scope. They can be created via a third-party app as part of the OAuth process, but you can always create your own to use with one of our many API clients or custom code integrations.

Scoped access tokens let you tighten the security of your DNSimple account and related digital assets. You can limit their permissions, so you know third parties can only access resources, or groups of resources, that you've allowed. You can also specify the type of access — i.e. read-only or full. For example, you can create an account access token with permissions for managing all the certificates for one domain, or across all your domains. You can also create account access tokens with read-only permissions for specific zones. If someone tries to access something for which they haven't been granted access, they'll see a 403: Permission Denied error.

Creating and managing your access tokens

To create an access token, follow these simple steps:

• Head over to your Account Access Tokens page.
• Click add.
• Choose a label so you can easily reference the token later.
• Click save.

When you create an access token on a supported plan, you'll see additional form fields that let you customize which resources the token can access. When you're finished customizing the resources, click Generate token to create the token, and it will be displayed on the screen.

Once an access token has been created, you can't change its permissions. However, you can still view the permissions it was created with. To delete a token, just click delete next to the token you want to remove.

Keeping your access tokens secure

• Keep your token secret — they should never be in your source code. Our tokens are prefixed to enable secret scanning to avoid this issue.
• Build in a Routine process to rotate them regularly.
• Follow the principle of least privilege — fine tune the permissions for each token, and limit them to the narrowest scope possible.

For more on how to access the API with your newly generated token, take a look at our developer documentation. We've also created a video with a demo of how it works.

Protect your digital assets

The new scoped access tokens make it easy for you to protect your digital assets with just a few clicks. Don't give third parties more access than you have to — set permissions and keep your domains secure.

We offer a variety of strong security features on every plan, and we always want to know how we can further meet your security needs. Whether you've been with DNSimple for a month or a decade, if there's a feature you'd like to see us add, drop us a line — we'd love to hear from you.

If you're not using DNSimple yet, find your plan, and give us a try free for 30 days. Want to discuss your DNS needs more first? Just send us a message and we'll find the plan that's right for you.

Share on Twitter and Facebook

Dallas Read

Dream. Risk. Win. Repeat.