|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: Improved API tokens for crates.io |
| 4 | +author: Tobias Bieniek |
| 5 | +team: the crates.io team <https://www.rust-lang.org/governance/teams/crates-io> |
| 6 | +--- |
| 7 | + |
| 8 | +If you created a new API token on crates.io lately, you may have noticed our new |
| 9 | +API token creation page and some of the new features it supports. |
| 10 | + |
| 11 | +Previously, when you clicked the "New Token" button on <https://crates.io/settings/tokens> |
| 12 | +you would only get the option to choose a name for the token, but nothing else. |
| 13 | +We knew that we wanted to offer our users more choices, but in the previous user |
| 14 | +interface that would have been difficult, so our first step was to build a |
| 15 | +proper "New API Token" page. |
| 16 | + |
| 17 | +Our next two features on the to-do list were both described as "token scopes". |
| 18 | +One part is allowing you to restrict API tokens to certain operations, e.g. |
| 19 | +only allowing a token to publish new versions of existing crates, but not any |
| 20 | +new crates. The second part is an optional restriction for the token to only |
| 21 | +work with certain crate names. If you want to read more about how these features |
| 22 | +were planned and implemented you can take a look at our corresponding |
| 23 | +[tracking issue](https://github.com/rust-lang/crates.io/issues/5443). |
| 24 | + |
| 25 | +The remaining piece to making crates.io API tokens more secure was implementing |
| 26 | +expiration dates for them. Since we had already touched most of the |
| 27 | +token-related code this was relatively straight-forward, and we are happy to |
| 28 | +announce that our "New API Token" page now supports endpoint scopes, crate |
| 29 | +scopes and expiration dates: |
| 30 | + |
| 31 | + |
| 32 | + |
| 33 | +Similar to when you create an API token on github.com, you can choose to not |
| 34 | +have an expiration date, use one of the presets, or even choose a custom |
| 35 | +expiration date. |
| 36 | + |
| 37 | +If you notice any issues, or if you have any questions don't hesitate to find us |
| 38 | +on [Zulip](https://rust-lang.zulipchat.com/#narrow/stream/318791-t-crates-io/topic/token.20scopes) |
| 39 | +or open an issue on [GitHub](https://github.com/rust-lang/crates.io/issues/new/choose). |
| 40 | + |
| 41 | +Finally, the crates.io team would like to thank the [OpenSSF's Alpha-Omega Initiative](https://openssf.org/community/alpha-omega/) |
| 42 | +and [JFrog](https://jfrog.com/blog/jfrog-joins-rust-foundation-as-platinum-member/) |
| 43 | +for funding the [Rust Foundation](https://rustfoundation.org) security |
| 44 | +initiative, which enabled us to implement these features and perform a lot of |
| 45 | +other security-related work on the crates.io codebase in the past couple of months! |
0 commit comments