API Security - To whom do you give the keys to your spaceship?

Dear internet spaceship pilots,

As you might have learned from PrismX's dev blog about Tyrannis 1.2, we're adding a bunch of new features to the API later this month. This means that developers have the ability to make much cooler applications for you as a user, but it also increases the potential for abuse of the full API keys. So here's a public service announcement to remind everyone what the API is and why you should be careful about whom you give your API keys to.

The API

The API is a way for people to get data from New Eden, and use it for application development. It allows you to check your skill queue, market orders, evemails, and other interesting data from your mobile phone and other platforms, not just the EVE Client/EVE Gate.

This is done by querying a CCP-hosted website, which talks (almost) directly to the database. This means that it offers a wide set of semi-live data.

API Keys - Full vs. Limited

In order to get this data from our web-server, an application needs to provide us with one or more of the following things:

  • A User ID
  • An API Key(Limited/Full)
  • A Character ID

The second item is the part which you need to take great care of. By having that key, people are able to query a bunch of different data. 

Here are the highlights of what data each type of key can access with the release of Tyrannis 1.2

  • Limited
    • Character sheet
    • Skill queue
    • Factional Warfare Statistics
    • Standings
  • Full
    • Everything that the limited key can access
    • A full list of everything you own
    • The status of your account(Disabled, paid for, when it's paid until)
    • Your wallet journal and transaction list
    • All your mails and the content of them
    • Your contact list
    • Corporation data which you have access to through your roles

Keeping your API key secure and watching for abuse

As you can see, a full API key allows people to access a lot of data about all of the characters on your account. Sharing a full API key can be detrimental to not only your privacy, but to your whole corporation, especially if you are sharing war-plans for your corporation through evemail, sending API keys by evemail or have secret alts on your contact list. This is why you should make sure to only give your API key to people you truly trust and keep an eye on the usage, protecting your keys is your responsibility.

Should you be interested in knowing who has accessed your API key, you are able to see this right here, where we log all requests to your API key over the last 7 days. If you find any suspicious activity, you can change your API key here, by generating a new API key. This will invalidate your old API key.

In general, at this point you should consider your full API key to be something that you only give to your closest of friends and people you trust. Even then, your friends can pass your API key onto other people you might not trust, which is a thing to take into consideration. While it's important to note that people can't hack your accounts by getting hold of your API key, they are still able to learn all about you, which might be bad for you in New Eden, especially if the people you are at war with get hold of this information.

But that's all for now. Fly safe, and keep your API keys safe!

  • CCP Stillman