Authentication

Accounts

You may have an existing CostQuest Account if you are already a user of an existing CostQuest application or platform.

If you do not already have an account, you may create one by visiting the MyAccount page and when prompted to sign in choose to Sign Up and create a new account. The MyAccount page provides a centralized place to view API usage and manage API keys.

API Keys

  • API keys provide an additional authentication mechanism to access APIs.
  • They are subsets of and in addition to accounts.
  • Accounts can be authenticated only using authorization tokens obtained via an OIDC/OAuth flow. An account is required to create an API key.
  • If an API key is provided as an authentication mechanism, it will be used as the context for authorization to resources regardless of whether an account authorization token is present.
  • API keys cannot manage resources.
  • To utilize an API key, it must be included in each request as a header named apikey and a value of the generated API key.
  • Keys can be managed on the MyAccount page.
  • Keys that remain inactive for extended periods of time may be revoked for security purposes.

Limits

  • Rate limits are shared across an account and all its API keys.
  • API keys can be assigned their own quota. This optional key quota is a hard limit. If the number of credits utilized by an API key exceeds its assigned quota, the API key will be disabled.
    • Notifications regarding API key usage will be sent at 75% and 100% of a key’s assigned quota.
  • If a key is problematic due to overuse or being compromised, users should delete the offending key, create a new one, and better secure or implement that key.

Securing Credentials

It is the responsibility of account holders to secure their credentials including any authorization tokens and API keys. Account holders are responsible for the usage that is generated from their account and API keys. Guidelines to follow include but are not limited to the following:

  • Protect authorization tokens. An authorization token contains information that can provide anyone access to resources granted to an account.
  • Share credentials securely. Use a service that restricts access to known emails to view them such as a password manager with secure share link support.
  • Grant API keys access to only the resources they require.
  • Monitor usage. Accounts can monitor their own usage as well as the usage of their keys using the accountcontrol/getusage API.
  • Do not include credentials directly in code. Consider using a secrets manager such as AWS Secrets Manager or Azure Key Vault. Alternatively, store them in environment variables or files that are ignored when publishing or sharing code.