API Key Security: Rotation, Scoping, and Anomaly Detection
How InventoryOS protects your integrations with three layers of defense—and what you need to do on your side.
API keys are the backbone of automation and integration, but they're also a prime target. If an API key leaks, attackers can read your device inventory, exfiltrate data, or inject false telemetry. InventoryOS takes API key security seriously with three layers of protection: scoped permissions, automatic key rotation, and anomaly detection.
1. Scoped Permissions (Principle of Least Privilege)
Every API key in InventoryOS is assigned a scope—a set of permissions that defines exactly what that key can do. The available scopes are:
-
full_access— Full read/write access to the organization (devices, software, rules, etc.) -
telemetry:write— Send telemetry data only (agent ingest) -
commands:read— Read commands queued for agents -
ingest:write— Write to the ingest pipeline (device/software data)
full_access for automated scripts or CI/CD pipelines. If that key leaks, an attacker gains complete control over your inventory data.
For example, a deployment script that only pushes device data into InventoryOS needs ingest:write—nothing more. If that key leaks, the attacker can't read device data, execute commands, or modify compliance rules. The blast radius stays small.
Best practice: Create one key per integration, each with the minimum scope needed. A backup script might use telemetry:write. A monitoring dashboard might use a read-only key. Never share keys across tools.
full_access for interactive dashboard use only, never for scripts.
2. Automatic Key Rotation
Keys that live in scripts get stale. People leave the company. Keys end up in logs, config dumps, or accidentally committed to git. The longer a key exists, the more likely it is to be exposed. Rotation limits the window of exposure.
InventoryOS makes rotation straightforward: generate a new key, update your integration with the new value, then revoke the old one. During the transition, both keys work until you revoke the old one—no downtime required.
The dashboard shows key age and last-used timestamps, so you can spot keys that are overdue for rotation or no longer in use. Revoke unused keys promptly—they add risk without adding value.
3. Anomaly Detection
InventoryOS monitors API key usage patterns in the background. When something doesn't look right, you get an alert. What triggers an alert?
- Requests from a new IP range (e.g., a key normally used from your office suddenly used from another country)
- Unusual request volume spike (e.g., 10x normal traffic in an hour)
- Requests to endpoints outside the key's normal pattern (e.g., a key that usually hits ingest suddenly querying device lists)
- Use of a key that's been dormant for weeks or months
Alerts are sent via email to the organization owner with details: which key, what triggered the alert, source IP, and timestamp. When you get an alert, verify the source IP, confirm the integration is legitimate, and if anything looks suspicious—rotate the key immediately and investigate.
4. Best Practices Checklist
Use this checklist when creating or managing API keys:
-
Use scoped keys—never
full_accessfor scripts - One key per integration—don't share keys across tools
- Rotate every 90 days
- Never commit keys to git repositories
- Use environment variables or a secrets manager
- Monitor the API key activity log in the dashboard
- Revoke unused keys promptly
Conclusion
Security is a layered game. Scoping limits blast radius—if a key leaks, the attacker can only do what that key allows. Rotation limits exposure time—even if a key is compromised, it becomes useless after you rotate. Anomaly detection catches what slips through—unusual activity triggers an alert so you can respond before damage is done. Together, these three layers make your API integrations safe by default.