Managing and Rotating API Keys

Server Scout uses unique API keys to authenticate your monitoring agents with the centralised monitoring service. Each server receives a 64-character hexadecimal API key during initial setup, which serves as its primary authentication credential. Understanding how to properly manage and rotate these keys is essential for maintaining the security of your monitoring infrastructure.

How API Keys Work in Server Scout

When you set up a new server in Server Scout, the system automatically generates a unique 64-character hexadecimal API key. This key looks something like a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2g3h4i5j6k7l8 and serves as your server's digital identity.

The Server Scout agent uses this key for all communications with the monitoring service by including it in the X-API-Key HTTP header with every request. This approach ensures that only authorised agents can submit monitoring data to your account whilst keeping the authentication process lightweight and efficient.

When to Rotate API Keys

Regular API key rotation is a fundamental security practice that helps protect your monitoring infrastructure. Consider rotating keys in the following scenarios:

  1. Staff departure - When team members with access to server configurations leave your organisation
  2. Suspected compromise - If you believe an API key may have been exposed or accessed by unauthorised parties
  3. Periodic security policy - As part of your organisation's regular security maintenance schedule (typically every 90-180 days)
  4. After security incidents - Following any breach or security event that may have exposed configuration files
  5. Server decommissioning - When removing servers from service to prevent potential key reuse

Rotating Keys Without Downtime

Server Scout's management API includes a regenerate action that allows you to rotate keys seamlessly. The process creates a new API key whilst immediately invalidating the previous one, ensuring no overlap period where both keys remain valid.

Here's how to rotate an API key without service interruption:

1. Generate the New Key

Access your Server Scout dashboard and navigate to the server management section. Locate the target server and click the "Regenerate API Key" option. The system will immediately create a new 64-character key and display it securely.

Important: Copy the new key immediately, as it won't be displayed again for security reasons.

2. Update Agent Configuration

Locate your Server Scout agent configuration file (typically /opt/scout-agent/agent.env.yml or /opt/serverscout/config.yml) and update the API key field:

api:
  key: "your-new-64-character-api-key-here"
  endpoint: "https://app.serverscout.ie"

Alternatively, if you're using environment variables:

export SERVERSCOUT_API_KEY="your-new-64-character-api-key-here"

3. Restart the Agent

Restart the Server Scout agent to apply the new configuration:

sudo systemctl restart scout-agent

Or if you're using the standalone binary:

sudo pkill scout-agent
sudo /opt/serverscout/scout-agent --daemon

4. Verify Connectivity

Check the agent logs to confirm successful authentication with the new key:

sudo journalctl -u scout-agent -f

Look for successful connection messages and ensure no authentication errors appear.

API Key Security Best Practices

Protecting your API keys requires implementing proper security measures throughout their lifecycle:

Store keys securely - Never commit API keys to version control systems or include them in publicly accessible configuration files. Use secure configuration management tools or environment variables instead.

Limit access - Restrict API key access to essential personnel only. Implement role-based access controls in your configuration management systems.

Monitor usage - Regularly review API key activity through Server Scout's dashboard to identify unusual patterns or unauthorised usage.

Rotate proactively - Don't wait for security incidents to rotate keys. Establish a regular rotation schedule and stick to it.

Document procedures - Ensure your team understands the key rotation process and maintains up-to-date documentation for emergency situations.

By following these practices and regularly rotating your Server Scout API keys, you'll maintain a robust security posture whilst ensuring continuous monitoring coverage for your infrastructure.

Frequently Asked Questions

How do I set up API keys for ServerScout monitoring agents?

ServerScout automatically generates a unique 64-character hexadecimal API key when you set up a new server. The agent uses this key in the X-API-Key HTTP header for all communications with the monitoring service. You'll need to add the key to your agent configuration file or set it as an environment variable.

How often should I rotate my ServerScout API keys?

You should rotate API keys every 90-180 days as part of regular security maintenance. Additionally, rotate keys immediately when staff with server access leave, after suspected compromises, following security incidents, or when decommissioning servers to prevent key reuse.

How does ServerScout API key authentication work?

Each ServerScout agent receives a unique 64-character hexadecimal API key that serves as its digital identity. The agent includes this key in the X-API-Key HTTP header with every request to the monitoring service, ensuring only authorized agents can submit monitoring data to your account.

Can I rotate API keys without causing monitoring downtime?

Yes, ServerScout allows seamless key rotation. Use the 'Regenerate API Key' option in your dashboard to create a new key, then update your agent configuration file and restart the agent. The old key is immediately invalidated when the new one is generated.

What should I do if my ServerScout API key stops working?

Check the agent logs using 'sudo journalctl -u scout-agent -f' for authentication errors. Verify the API key in your configuration file matches the one in your ServerScout dashboard. If issues persist, regenerate the key through the dashboard and update your agent configuration.

Where should I store ServerScout API keys securely?

Never commit API keys to version control or include them in publicly accessible files. Store them in secure configuration management tools, environment variables, or protected configuration files. Limit access to essential personnel only and implement role-based access controls.

What happens to the old API key when I regenerate a new one?

When you regenerate an API key in ServerScout, the system immediately invalidates the previous key to ensure no overlap period where both keys remain valid. This security measure prevents unauthorized access but requires immediate agent configuration updates.

Was this article helpful?

Related Articles