Checkly has released a change to the way API keys are created and managed. In the past, API keys were account-scoped. These account-scoped keys have full access rights to your Checkly account and no accountability to which user is using the key.
When we originally built Checkly, we made it a tool to enable individual developers to quickly and easily set up browser and API checks. We help ensure your web applications are up and running and send alerts when something goes wrong. At that time, a public API, advanced user management, and strong access control weren't a priority to provide that.
As Checkly grows and matures, we have more accounts with multiple users and more external integrations with Checkly via our API. This means that account-scoped API keys with full access to accounts are a limiting factor in several things we're building.
What are user-scoped API keys?
User-scoped API keys are just that, individual API keys that are scoped to a specific user's account and inherit that user's access role (Admin, Read & write, or Read only). The role inheritance means you can now enforce access restrictions when users access the Checkly API, either directly or via integrations with other applications, such as Terraform.
API keys are not created by default in a new Checkly account or for newly added Checkly users. Instead, you can create user-scoped API keys in the settings page. Another new feature is the ability to create multiple API keys for your user. Account-scoped keys were limited to one per account. This simplifies key rotation and allows you to have different keys for different applications. If you need to revoke a key for a specific application, you don't need to rotate the key in all of your applications.
What happens to your account-scoped keys?
All of your existing account-scoped API keys will continue to work just as they do today. We are not planning to deprecate existing account-scoped keys soon, although we might do in the future if we need to. However, we will be removing the ability to create new account-scoped API keys. All new API keys will need to be user-scoped and created in the user settings page.
What's next?
Moving from account-scoped to user-scoped API keys enables us to build more functionality around API automation, user management, access control, and auditing. We are investigating all of these areas and will update our roadmap as we progress.