[TEC-445] Explain how API tokens work in more detail #2374
Conversation
✅ Don't forget to add
|
| Name | Link |
|---|---|
| 🔨 Latest commit | 5f4db6a |
| 🔍 Latest deploy log | https://app.netlify.com/projects/semgrep-docs-prod/deploys/6924e93edff8f00008d082c6 |
| 😎 Deploy Preview | https://deploy-preview-2374--semgrep-docs-prod.netlify.app |
| 📱 Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify project configuration.
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
Co-authored-by: Katie Horne <katie.horne@semgrep.com>
docs/deployment/teams.md
Outdated
| #### Agent tokens | ||
|
|
||
| Automatically generated when onboarding repositories for CI/CD scans. These tokens authenticate agents running automated scans within CI environments. |
There was a problem hiding this comment.
This isn't actually a distinct type of token. They appear as API tokens and can be granted API scope, although the default scope is Agent/CI.
There was a problem hiding this comment.
^ ✅
though I don't mind these as separately calling out the fact that agents make tokens, this section could mention that the generated tokens are the same as API tokens above?
Co-authored-by: Alexis Grant <alexis@semgrep.com>
Co-authored-by: Alexis Grant <alexis@semgrep.com>
mgovea
left a comment
mgovea
left a comment
There was a problem hiding this comment.
another thing to optionally mention: a token's secret is not saved anywhere as-is and must be saved securely because it cannot be accessed after the token's creation
docs/deployment/teams.md
Outdated
| These tokens are created by admins in Semgrep AppSec Platform. They are used for API access, integrations, and automation. | ||
|
|
||
| Some features of these tokens: | ||
| - They are not tied to a specific user account, and remain valid until manually revoked, even if the creator is no longer associated with the deployment. |
There was a problem hiding this comment.
[Nit / me ignorant] Do double spaces even show up on the website?
| - They are not tied to a specific user account, and remain valid until manually revoked, even if the creator is no longer associated with the deployment. | |
| - They are not tied to a specific user account, and remain valid until manually revoked, even if the creator is no longer associated with the deployment. |
There was a problem hiding this comment.
Also, are they "not tied to a specific user account"? @zyannes
I know we have user in some cases, but maybe that's just CLI tokens...
There was a problem hiding this comment.
correct - Zach can confirm, but we tell folks this often. The token, once generated, is independent of the generating user.
There was a problem hiding this comment.
This is from Zach:
Technically API and CLI tokens can be associated with a user account, and therefore assume that user's role/scopes. However, in practice we only allow API tokens to be created by admins which therefore makes them "admin tokens"; the associated user in this case is more of an auditing "this user created this token"
docs/deployment/teams.md
Outdated
| #### Agent tokens | ||
|
|
||
| Automatically generated when onboarding repositories for CI/CD scans. These tokens authenticate agents running automated scans within CI environments. |
There was a problem hiding this comment.
^ ✅
though I don't mind these as separately calling out the fact that agents make tokens, this section could mention that the generated tokens are the same as API tokens above?
Co-authored-by: Alexis Grant <alexis@semgrep.com>
…re-detail' of github.com:semgrep/semgrep-docs into abhijnaparigi/tec-445-explain-how-api-tokens-work-in-more-detail
Preview