Securing API Tokens
When a specialist clicks on him/herself in the far right of the toolbar and selects the option ‘My Profile’, it used to be possible for this person to go to the ‘API’ section and see his/her API token.
This is considered a potential security risk. An attacker who managed to gain access to someone’s 4me session, could look up this person’s token to later make transactions using 4me’s REST API.
That is why, from now on, an API token is only presented once to its owner. The owner is subsequently expected to treat this token like a password. In order to see a valid API token, people now need to click on the Reset API token button. This warns the user that any integrations that rely on the current API token will stop working unless they get the new token after the reset has completed.
Once the token has been reset, it is visible only once to allow its owner to copy it and store it securely in a password management application.