Application Authentication Overview
Last updated on 25 February, 2023LogicMonitor application authentication ensures security when you ingest data from your application to the LogicMonitor platform and vice-versa. This mechanism is mainly achieved through different tokens. You need authentication mainly for API-based interaction (logs, metrics, or traces) with the LogicMonitor platform or your account management actions (thresholds and alert management). For more information on creating API tokens, see API Tokens.
Types of Tokens
The two methods of application authentication are listed as follows:
- LMv1 Token
- Bearer Token
LMv1 Tokens
LMv1 token is a key-based authentication which allows you to authenticate the API calls from your custom application to the LogicMonitor platform. The LMv1 token consists of a key pair (access-id and access-key).
For example, if you’re an application developer and have access to the application source code. It is recommended that you use an LMv1 token to authenticate API calls to the LM platform.
The following are some benefits of using the LMv1 tokens:
- Language neutral: You can use any programming language to implement the specifications.
- Tampering check: Built-in feature that checks for any tampering of the in-transit data to the platform.
- User-specific: The LMv1 tokens are user-specific, regardless if you use API or the user interface. You can perform different actions (API calls) based on your assigned roles.
- Handle compromise: The user roles are managed at the server end. In case of compromised tokens, you (admin) can disable the token and restrict the permissions for the user with the compromised token.
Bearer Tokens
Important: Bearer tokens are available only to users who have enabled Traces (LM APM license).
Bearer tokens are designed to provide application owners with an authentication mechanism by which they can authenticate the API calls from their applications to the LM Platform. You don’t need application code access to authenticate applications with the platform. Once created you can copy the bearer tokens in full text. Only required fields can be edited in the bearer token for easy implementation.
You can use Bearer tokens in applications which don’t have encoding. These tokens are directly used as authorization headers.
For example, if you’re an application developer and don’t have full access to the application source code. You can set HTTP headers with a static Bearer token, without much modification to the application code.
The following are some benefits of using the Bearer tokens:
- Language neutral: You can use any programming language to implement the specifications.
- User-specific: Bearer tokens are user-specific, regardless if you use API or the user interface. You can perform different actions (API calls) based on your assigned roles.
- Handle compromise: The user roles are managed at the server end. In case of compromised tokens, the admin can disable the token and restrict the permissions for the user with the compromised token.
- Less technical know-how: You will have limited application code access and require minimum skill to inject HTTP headers in the API call.
Best Practices
- Limit the use of the tokens per application. Do not configure the same token in more than one application.
- Create the tokens with API users. This avoids the risk of stranded tokens if the user interfaces user is no longer with the organization.
- Assign only the necessary (minimum) permissions to the token owners for performing required operations in the LogicMonitor platform.
- Refresh the tokens periodically and update the token in the application to avoid any compromise to the tokens.
- Implement encryption at the REST mechanism in an application for secure token storage.
- Avoid changing the token with the application source code. The token must be configured through environment variables.