Stronger language when an API key is created that it cannot be shared anywhere publicly.
More details in the API documentation, linked from the Terms of Use, on how to keep API keys secure.
As a developer and Notify API user, I need information documented in obvious places so that I understand how to keep my API keys secure and so I can follow the Terms of Use for GC Notify.
WHY are we building?
For better API key security and so our users are able to follow our Terms of Use so we don't have security issues.
WHAT are we building?
Updated documentation in the UI and in the API documentation
VALUE created by our solution
Better comprehension from developers of how to keep their API keys safe and fewer security issues or incidents related to API keys
Documentation and Artifacts
From UK Notify's new Terms of Use:
NotifyUK has some new terms of use, including nice stuff around api keys
API keys
If you use the Notify API to send messages, you must protect your API keys from unauthorised access or disclosure. This includes encrypting the keys at rest and in transit. You should also rotate your keys:
at least once every year
when someone with access to a key leaves your team
whenever you suspect that a key may have been compromised
Do not hard-code your API keys.
We recommend that you use a cloud service provider’s key management service to keep your API keys secure. For more information, read the NCSC guidance.
Acceptance Criteria
Given a developer is using the GC Notify API, when they read the Terms of Use and the API documentation while onboarding, then they understand the steps to keep their API keys safe
Given a developer is creating an API key in GC Notify, then when they take that step, they are presented in the UI with further details reminding them how to keep their API keys secure.
[ ] Cypress UI tests if needed.
[ ] Generate appropriate log messages so that executions of this feature can be tracked
[ ] Can misuse of this feature cause harm? If yes, create an alert
[ ] Update the status of related findings, insights, and hypotheses on the Research Airtable
[ ] Once change/fix/feature is implemented, link relevant Airtable records to design artifacts (Figma)
Description
Stronger language when an API key is created that it cannot be shared anywhere publicly. More details in the API documentation, linked from the Terms of Use, on how to keep API keys secure.
As a developer and Notify API user, I need information documented in obvious places so that I understand how to keep my API keys secure and so I can follow the Terms of Use for GC Notify.
WHY are we building? For better API key security and so our users are able to follow our Terms of Use so we don't have security issues. WHAT are we building? Updated documentation in the UI and in the API documentation VALUE created by our solution Better comprehension from developers of how to keep their API keys safe and fewer security issues or incidents related to API keys
Documentation and Artifacts
From UK Notify's new Terms of Use: NotifyUK has some new terms of use, including nice stuff around api keys API keys If you use the Notify API to send messages, you must protect your API keys from unauthorised access or disclosure. This includes encrypting the keys at rest and in transit. You should also rotate your keys: at least once every year when someone with access to a key leaves your team whenever you suspect that a key may have been compromised Do not hard-code your API keys. We recommend that you use a cloud service provider’s key management service to keep your API keys secure. For more information, read the NCSC guidance.
Acceptance Criteria
Given a developer is using the GC Notify API, when they read the Terms of Use and the API documentation while onboarding, then they understand the steps to keep their API keys safe
Given a developer is creating an API key in GC Notify, then when they take that step, they are presented in the UI with further details reminding them how to keep their API keys secure.
[ ] Cypress UI tests if needed.
[ ] Generate appropriate log messages so that executions of this feature can be tracked
[ ] Can misuse of this feature cause harm? If yes, create an alert
[ ] Update the status of related findings, insights, and hypotheses on the Research Airtable
[ ] Once change/fix/feature is implemented, link relevant Airtable records to design artifacts (Figma)
A11y
Bilingualism
Privacy considerations
Security controls in place
Measuring success and metrics
Related Research Airtable records
QA Steps
GC Articles Publish checklist