Encryption Key

An encryption key must be defined. This service leverages this encryption key to encrypt and decrypt token values.

Key information:

To set an encryption key

  1. Navigate to the Token Auth page.
  2. Set the desired encryption key in the Primary Key option.
  3. Click Update.

Best Practices

Ensure token security by following these guidelines when defining an encryption key:

Do not exceed a key length size of 250 characters.

OpenSSL

A standard method for generating random values is to use the OpenSSL tool to perform hexadecimal encoding.

Syntax:

Hexadecimal encoding doubles the specified length. For example, specifying a length of "32" will generate a value containing 64 characters.

Example:

OpenSSL> rand -hex 32

Loading 'screen' into random state - done

70ae02ac9f8270e160eadbaefdd5df37c8e13750d1793dcd55b00943fff3b829

Switching to a New Encryption Key

Tokens may only be decrypted using either the primary or backup encryption key defined on the Token Auth page. If the requested content contains a token generated using an old encryption key, then the request will be denied.

The following factors may prevent you from instantly switching to a new encryption key:

As a result of all of these factors, it is recommended to leverage two active encryption keys to ensure uninterrupted access to your content. This procedure requires that the old key be assigned as a backup key when creating a new encryption key. Since the old key is still an active encryption key, links that contain old tokens may still be used to authenticate.

Remove the old encryption key once the following events have taken place:

The above process ensures a smooth transition to a new encryption key.

To change your encryption key (recommended procedure)

  1. Navigate to the Token Auth page.
  2. From the Token-Based Authentication section, copy the value from the Primary Key option to the Backup Key option.
  3. In the Primary Key option, type your new encryption key.
  4. Click Update to save your changes.

    It may take up to an hour for your primary key to become active.

  5. Generate new tokens using the new primary key.
  6. Update all links to content secured by Token-Based Authentication to use the tokens generated in the previous step.
  7. Purge the content updated in the previous step.
  8. Clear the Backup Key option.
  9. Click Update to save your changes.

    It may take up to an hour for your backup key to become deactivated. After which, links that use token values based on the old encryption key will be rejected.