-
Notifications
You must be signed in to change notification settings - Fork 288
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1116 from Turbo87/api-tokens
Add "Improved API tokens for crates.io" post
- Loading branch information
Showing
2 changed files
with
48 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| --- | ||
| layout: post | ||
| title: Improved API tokens for crates.io | ||
| author: Tobias Bieniek | ||
| team: the crates.io team <https://www.rust-lang.org/governance/teams/crates-io> | ||
| --- | ||
|
|
||
| If you recently generated a new API token on crates.io, you might have noticed | ||
| our new API token creation page and some of the new features it now supports. | ||
|
|
||
| Previously, when clicking the "New Token" button on <https://crates.io/settings/tokens>, | ||
| you were only provided with the option to choose a token name, without any | ||
| additional choices. We knew that we wanted to offer our users more flexibility, | ||
| but in the previous user interface that would have been difficult, so our first | ||
| step was to build a proper "New API Token" page. | ||
|
|
||
| Our roadmap included two essential features known as "token scopes". The first | ||
| of them allows you to restrict API tokens to specific operations. For instance, | ||
| you can configure a token to solely enable the publishing of new versions for | ||
| existing crates, while disallowing the creation of new crates. The second one | ||
| offers an optional restriction where tokens can be limited to only work for | ||
| specific crate names. If you want to read more about how these features | ||
| were planned and implemented you can take a look at our corresponding | ||
| [tracking issue](https://github.com/rust-lang/crates.io/issues/5443). | ||
|
|
||
| To further enhance the security of crates.io API tokens, we prioritized the | ||
| implementation of expiration dates. Since we had already touched most of the | ||
| token-related code this was relatively straight-forward. We are delighted to | ||
| announce that our "New API Token" page now supports endpoint scopes, crate | ||
| scopes and expiration dates: | ||
|
|
||
|  | ||
|
|
||
| Similar to the API token creation process on github.com, you can choose to not | ||
| have any expiration date, use one of the presets, or even choose a custom | ||
| expiration date to suit your requirements. | ||
|
|
||
| If you come across any issues or have questions, feel free to reach out to us on | ||
| [Zulip](https://rust-lang.zulipchat.com/#narrow/stream/318791-t-crates-io/topic/token.20scopes) | ||
| or open an issue on [GitHub](https://github.com/rust-lang/crates.io/issues/new/choose). | ||
|
|
||
| Lastly, we, the crates.io team, would like to express our gratitude to the | ||
| [OpenSSF's Alpha-Omega Initiative](https://openssf.org/community/alpha-omega/) | ||
| and [JFrog](https://jfrog.com/blog/jfrog-joins-rust-foundation-as-platinum-member/) | ||
| for their contributions to the [Rust Foundation](https://rustfoundation.org) | ||
| security initiative. Their support has been instrumental in enabling us to | ||
| implement these features and undertake extensive security-related work on the | ||
| crates.io codebase over the past few months. |
Binary file added
BIN
+173 KB
static/images/2023-06-23-improved-api-tokens-for-crates-io/new-api-token-page.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.