Managing tokens and keys

This page explains how to generate and use different tokens and keys for nRF Cloud services over REST, using the nRF Cloud portal or REST endpoints.

Some operations depend on your role within a team. Anyone can view a key or token, but not all roles can generate them.

API key

All team members can generate API keys through the nRF Cloud portal. The API key is specific to your user and team. You have a different API key for each team.

Note

You can generate API keys only through the nRF Cloud portal.

To view an existing API key or generate a new one:

1. Log in to the nRF Cloud portal.
2. Click the three-line menu in the upper right corner.
3. Click User Account.
4. On the Current Team Details card, locate the API key. You can copy the existing key, or generate a new one:
   • Click the icon next to the text box to copy the existing API key.

   • Click Regenerate API key to generate a new one.

     A pop-up opens:

     1. Type regenerate api key in the text box to confirm.
     2. Click OK.
     3. The new key appears in the text box.

Use this key in the Authorization: Bearer header in REST requests that require it. Previously issued API keys are valid for up to 60 minutes after you generate a new one.

JWT

For cloud-to-cloud use through a proxy server, you can generate a service evaluation token (valid for 30 days) or a service token signed with a service key. You can generate any of these keys and tokens through the portal or APIs.

To generate a JWT for direct device-to-cloud operations, see Securely generating credentials.

Evaluation token

An evaluation token is a type of JWT and used in the same way, in the authorization header of a request. A team may have one active evaluation token at a time.

Access

Only the team owner can generate an evaluation token, through the nRF Cloud portal or directly through the APIs.

All team members can view the evaluation token from the Team page in the portal or using the APIs.

In the nRF Cloud portal

To generate the evaluation token in the portal (owner only):

1. Log in to the nRF Cloud portal.
2. Click the drop-down menu in the top right corner.
3. Click Team.

4. In the Service Evaluation Token section, click Generate Token.

   A window opens asking for confirmation.

5. Click OK to generate the token.

6. Copy the token that appears in the text field to the left of the Generate Token button. The token no longer appears once it has expired.

Using the nRF Cloud APIs

To generate the evaluation token using the REST API (owner only):

• Call the GenerateServiceEvaluationToken endpoint.

To view the evaluation token (any role):

• View the token and its expiration date at any time using the GetServiceEvaluationToken endpoint.

Service key and token

The service key applies to proxy server use of Location Services and requires a Pro or Enterprise plan.

Access

Only the team owner can generate a service key and token.

The nRF Cloud portal and APIs allow you to generate a new service key, along with a service token signed with it.

Before you can generate a service key, you must first declare proxy server usage on your Manage plan page in the nRF Cloud portal.

If you have previously created keys for separate services, they are still valid until you generate a new key.

In the nRF Cloud portal

To generate a service key and token:

1. Log in to the nRF Cloud portal.
2. In the left sidebar, click Device Management. A panel opens to the right.
3. Click Manage Service Key. The service key page opens.
4. Click Generate New Key.
5. Type generate new key in the text box to confirm.

6. Click OK. The server generates and shows the private key.

   Caution

   Creating a new service key invalidates JWTs signed with the old one.

7. Copy and store the key in a secure place by selecting and copying the text, or by clicking the icon below the text box. If you lose the key or it is compromised, you will need to generate a new key. Use this key to sign your own JWT if you choose not to use the service token that nRF Cloud generates.

8. Click the X in the upper right corner to close the dialog box.

   The server generates a service token, signed with the newly generated service key. This token is valid for one year.

9. Copy and store the service token in a secure place.

You can view the generated token from this page later.

Using the nRF Cloud APIs

Access

Only the team owner can generate and view the service key and token. If you are not a team owner and try to call the endpoints in this section, the server responds with the following:

{"message": "This operation can only be performed by: owner", "code": 40100}

• Use the GenerateServiceKeyAndToken endpoint to generate both a service key and service token signed with it.

The server responds with a key and token. The token is valid for one year.

nRF Cloud does not store the private key, so copy and store it in a secure place. Use this key to sign your own JWT if you choose not to use the service token that nRF Cloud generates.

• Use the GetServiceKeyAndToken endpoint to view the token after generating it.

The server responds with the last generated token and time of creation.