Keys Manager
Overview
The Keys Manager API lets you upload and manage keys used in your CDN site configuration. For example, you can upload keys to support Signature V4 authentication for an Amazon S3 bucket origin or URL signing. All keys uploaded by users in your organization are accessible to all other users in the same organization.
Each key must be assigned the correct type to work with the relevant configuration components. You specify the key type when uploading.
Supported types are:
- QSEC - Designates shared secret keys for URL signing.
- S3 - Designates access keys for Amazon S3 origins.
- generic - Used for keys that are not tied to a specific application. For example, generic keys may be used as origin keys. Note that the generic key type does not support tags.
When uploading a key intended for use by a specific component, ensure the key type matches the requirements of the component it will be used with. Otherwise, the key may not function as expected.
Authentication
Two authentication methods are supported for interacting with Qwilt APIs:
- API key based authentication
- Token based authentication
Examples
Upload a Key for URL Signing
This example illustrates how to upload a key for URL signing.
Use the QSEC key type to upload a shared secret key for URL signing, and the tags object to specify the kid which will be included in the JWT token of the signed request to identify the key for validation.
Request Example
curl --request POST \
--url https://keys-manager.cqloud.com/keys \
--header 'Content-Type: application/json' \
--data '{
"type": "QSEC",
"name": "exampleKey",
"description": "Example shared secret key for URL signing.",
"key": "bXlTZWNyZXRLZXkxM...",
"base64Encoded": true,
"tags": {
"kid": "3"
},
"keySetId": 7,
"expirationTimeMilli": 1725715200000
}'
Response Example
{
"id": 1,
"type": "QSEC",
"name": "exampleKey",
"description": "Example shared secret key for URL signing.",
"sha512": "b2b799f6f383f...",
"tags": {
"kid": "3"
},
"keySetId": 7,
"expirationTimeMilli": 1725715200000,
"ownerOrgId": "MyCompany"
}
Upload a Generic Key
This example uses the generic key type to upload an origin key.
Request Example
curl --request POST \
--url https://keys-manager.cqloud.com/api/1/keys \
--header 'Content-Type: application/json' \
--header 'X-Api-Key: <your API key>' \
--data '{
"type": "generic",
"name": "Example Key Name",
"description": "Example key description.",
"key": "<origin key>",
"base64Encoded": false,
"keySetId": 93,
"expirationTimeMilli": 1746623096266
}'
Response Example
{
"id": 1,
"type": "generic",
"name": "Example Key Name",
"description": "Example key description.",
"sha512": "b2b799f6f383f378ecff3f5bcda6...",
"keySetId": 93,
"expirationTimeMilli": 1746623096266,
"ownerOrgId": "MyCompany"
}
Verify Key Addition
To verify the key addition, use the List Keys function, specifying the relevant keyset with the keySetId query parameter.
For example:
curl --request GET \
--url https://keys-manager.cqloud.com/api/1/keys?keySetId=93 \
--header 'Content-Type: application/json' \
--header 'X-Api-Key: <your API key>'
Republish the Active Site Configuration
Republish the active site configuration to activate a new key, setting the keys attribute of the republishedResources object to true.
For example:
curl --request POST \
--url https://media-sites.cqloud.com/api/v2/sites/<siteId>/publishing-operations/actions/republish \
--header 'Content-Type: application/json' \
--header 'X-Api-Key: <your API key>' \
--data '{
"republishedResources": {
"keys": true
},
"target": "ga"
}'