Personal Access Tokens

July 2024

What’s changing

We are updating the authentication method for accessing MK.IO.

Previously, API authentication was managed through the x-mkio-token header, with tokens stored in our database. Tokens were generated on a successful SSO login or by calling the '/auth/token/' endpoint.

Authentication is now done via a a JSON Web Token (JWT). A JWT is generated upon a successful login or through a set of specified endpoints. The JWT bearer authentication process extracts and validates the token from the authorization request header to confirm user identity.

Who is impacted

API users are encouraged to adopt new authentication method to Access the API by creating new API Tokens.
While the old method is still functional, it is no longer recommended. Please ensure you copy your credentials to connect your user application.

Why you would use this / Why it matters

The benefits compared to the old system is the ability to use a popular, secured and compact authentication and authorization mechanism. Each user can view the tokens he has created across all organizations he has access to.

Tokens can be also revoked and will no longer be accepted by MK.IO.

These improvements enhance security, manageability, and flexibility for all users.

Additional details

For now, we support two types of tokens, both limited to a single organization account:

  • Login tokens are provided after a successful SSO login, they are given to the UI in a cookie and are only really intended for UI use. They provide the bearer with the full set of capabilities of the user.
  • Full-access tokens are created by a specific API call, they can last up to one year and provide the bearer with the full set of capabilities of the user.

We will introduce restricted tokens when we implement the support of Role-based Access Control (RBAC).

The JWT can be presented to the API as a cookie for the UI to use, as a standard bearer authentication token, or using the old x-mkio-token header, which will eventually be deprecated.

Getting started

You can create a personal token from your profile page, accessible by clicking on your email in the drop-down menu in the top right corner. For more details, refer to the API Tokens page.

Availability & rollout plan

This capability is available in all MK regions effective July 9th 2024.