Out of an abundance of caution relating to an ongoing incident, JumpCloud has decided to rotate all API Keys for JumpCloud Admins.
For JumpCloud Admins that are using a JumpCloud API key with an integration that relies on a JumpCloud admin API key will need to take action by updating integrations with their new API key(s).
For JumpCloud Admin that are not using a JumpCloud API key, no further action is required at this time as JumpCloud has rotated their API for them out of an abundance of caution.
View Old API Keys Actively Being Used
You can use Directory Insights to see if old API keys are still in use.
To view old API Keys actively being used:
- Log in to the JumpCloud Admin Portal.
- In the left hand navigation, click INSIGHTS > Directory.
- Select the appropriate Time Range to narrow events to the desired time period.
- In the Event Type dropdown menu, select admin_old_api_key_attempt to filter the events.
Make sure to select your desired Time Range when filtering for this event, the default is the Last 1 hour. Try extending the range for more results.
- A list of results will populate if there are any active, but old API keys being used.
- Click the dropdown arrow next to the timestamp of an event to see a Summary.
- Click the JSON tab to see the Admin’s Email Address, the User-Agent and Client IP address of the device that’s making the call to the JumpCloud API.
To access your new API Key:
- Log in to the JumpCloud Admin Portal as an Administrator or Command Runner.
- In the Admin Portal, click your account initials displayed at the top-right and select My API Key from the drop-down.
- Your new API key will be displayed in the resulting dialogue.
Once an Admin's API Key is rotated, the old API key associated to that Admin will no longer work. This will impact any of the following:
- AD Import
- HRIS integrations
- JumpCloud Powershell Module
- Directory Insights Serverless App
- 3rd party MDM Zero-touch packages
- Command Triggers
- Okta SCIM integration
- Azure AD SCIM integration
- Integrations built to create/update users and/or devices using 3rd party tools like Workato, Aquera, Tray,io, etc.
- Automations and custom applications, and any other use cases that involve an Administrators JumpCloud API key.
Each admin created automatically has an API key generated which corresponds with the role and related entitlements of the administrator (e.g. read only privileges versus administrative privileges). It is very important to exercise strong security posture when handling your JumpCloud API key. If you believe for any reason that your API key may have been shared or compromised, we recommend generating a new API key.