API key requirements on API

Hi,

We're wanting to use the api /api/promotions/promote to promote Nuget / Chocolatey packages in an environment with Windows Authentication in place.

However we get the following response from the request: An API key is required to promote packages.

This is frustrating - we manager the permissions with Windows Authentication - can you please remove this restriction?

Kind Regards,

James

Product: ProGet
Version: 4.8.7

atripp

API Keys are required for all of our end points. This is by design, because API and interactive (user) access are quite different, and they resolve access differently.

If you want to not use an API key, you could create one called "dummy" and always pass that in the URL; however that's not recommended, because it's like a password.

In this case, WIA is only used to "authenticate" the request, not authorize it.

Alana,

Creating a dummy API key creates issues with pushing packages using WIA so that is not a solution for us - "When a NuGet API key is set for a feed, that key will always be required to push packages, in addition to any other configured privileges".

We use the in built roles/tasks/privileges in Proget for authorization, an API key is not helpful here - there is no good security reason for adding it. We have services running on Windows that support WIA and we want these to hit the API without having to use an API key.

Can we make it a feature request please?

Thank you

James

thoven

The promotion API endpoint does not use a NuGet API key, it uses a ProGet API key. It is unfortunate that the terminology is similar, but feed endpoints are handled independently from ProGet API endpoints, so creating a ProGet API key will not interfere with normal dev use of the NuGet feed.

You need to create an API Key in the Admin > API Keys section, and that API key will only be used for ProGet API endpoints (i.e. package promotion, package deployment, and the future "feed management" API).