Improved API Security with Scoped Access Tokens
The DNSimple team has recieved requests from many of our users looking to automate their certificate management, without compromising the security of their mission-critical domains. We loved the idea, so we implemented it.
We're releasing scoped access tokens, a feature that lets teams and enterprises use more secure access tokens. With this feature, you'll be able to set the restrictions for each token, securing your company's digital assets. Available on the Teams plan and higher.
We're also introducing access token prefixes – a way to easily see meta-data about the token. The primary benefit of this is secret scanning, so you can easily find any sensitive information in your source code and improve the security of your repositories.
In this post, we'll talk more about this feature, go over how to manage your API Access Tokens in DNSimple, best practices for maintaining your tokens, and how this all ties into our new Domain Control Plane — a way for you to gain unprecedented visibility and control into even the most complex domain portfolios, including resources hosted outside DNSimple's infrastructure.
Scoped Access tokens and the Domain Control Plane
If you're using our Domain Control Plane to manage your DNS or domains, many aspects of it require access tokens to interact with our API (e.g. Terraform). Scoped access tokens let you link your domains without having to give third parties access to your entire account.
Access tokens allow third party tools to talk to DNSimple's API. They tell it that the bearer has authorization to access the API and perform actions specified by the scope. They can be created via a third-party app as part of the OAuth process, but you can always create your own to use with one of our many API clients or custom code integrations.
Scoped access tokens let you tighten the security of your DNSimple account and related digital assets. You can limit their permissions, so you know third parties can only access resources, or groups of resources, that you've allowed. You can also specify the type of access — i.e. read-only or full. For example, you can create an account access token with permissions for managing all the certificates for one domain, or across all your domains. You can also create account access tokens with read-only permissions for specific zones. If someone tries to access something for which they haven't been granted access, they'll see a
403: Permission Denied error.
Creating and managing your access tokens
To create an access token, follow these simple steps:
- Head over to your Account Access Tokens page.
- Choose a label so you can easily reference the token later.
When you create an access token on a supported plan, you'll see additional form fields that let you customize which resources the token can access. When you're finished customizing the resources, click
Generate token to create the token, and it will be displayed on the screen.
Once an access token has been created, you can't change its permissions. However, you can still view the permissions it was created with. To delete a token, just click
delete next to the token you want to remove.
Keeping your access tokens secure
- Keep your token secret — they should never be in your source code. Our tokens are prefixed to enable secret scanning to avoid this issue.
- Build in a Routine process to rotate them regularly.
- Follow the principle of least privilege — fine tune the permissions for each token, and limit them to the narrowest scope possible.
Protect your digital assets
The new scoped access tokens make it easy for you to protect your digital assets with just a few clicks. Don't give third parties more access than you have to — set permissions and keep your domains secure.
We offer a variety of strong security features on every plan, and we always want to know how we can further meet your security needs. Whether you've been with DNSimple for a month or a decade, if there's a feature you'd like to see us add, drop us a line — we'd love to hear from you.
Dream. Risk. Win. Repeat.
We think domain management should be easy.
That's why we continue building DNSimple.
Using time tracking to improve your remote working habits
What we learned, individually, from our collective time tracking experiment.
Introducing Notes for DNS Records
New Record Notes allow you to record why you made DNS zone changes.