Registering or viewing your API key is one of the two essential onboarding steps in order to start using the AISec Platform. The API key enables you to directly use HiddenLayer’s API endpoints to get the full AISec Platform experience. Once logged in, existing users can edit and create new API keys on the Admin > API Keys page. The second step is choosing your integration options (Third Party Integrations).
In the Console, go to Admin > API Keys.
Click + New.
Enter a name for the API key, select an expiration, then click Next.
Select the permissions for each category, then click Create API Key. You can select a combination of Read, Write, and Delete permissions, or click All to allow all permissions for the selected category.
See the API Permissions and API Resources tables below for more information.
No Permissions SelectedNot selecting any permissions will create an API key with all permissions enabled.
A unique API key is generated. The
clientIDandclientSecretinformation is displayed. Click on the copy icon and save into a password manager or to a file in a secure location.Save the ID and SecretIt is important to save this information because you cannot retrieve it in the future.
After saving this information, click Close.
When an API key is created, an expiration is set. When an API key expires, it is securely deleted and automatically removed from the Console.
On the API Keys page, click the three vertical dots for the API key you want to delete.
Click Delete. A message displays, asking you to confirm deleting the key.
Click Delete.
API keys are highly secure assets and should be treated as such. Below are examples of when new API keys need to be created. This list is provided as examples based on best practices, and is not exhaustive. We recommend reviewing your own company policies around such requirements.
| Scenario | Description |
|---|---|
| Security Updates | Create a new API key if you suspect that the current key has been compromised or as part of regular security updates. Regularly rotating API keys is a good security practice. |
| New Team Members or Roles | If a new team member requires access or if there are changes in roles within the team, generating a new API key can help maintain proper access controls. |
| Project or Environment Changes | For different projects or development environments (like staging, production), it's advisable for you to use separate API keys. This helps in tracking and managing access more effectively. |
| After Key Expiration | If the API key has an expiration date, a new key must be created upon its expiry to maintain uninterrupted access to the platform. |
| Policy or Compliance Requirements | You may have organizational policies or compliance standards in place that dictate how often API keys should be rotated or renewed. |
| Lost API Key | API keys are not recoverable. If you forget or lose your API key you must create a new one. |
| Permission | Description |
|---|---|
| All | The ability to read, write, and delete items in the given category. |
| Delete | The ability to delete items in the given category. |
| Read | The ability read or view items in the given category. |
| Write | The ability to create or edit items in the given category. |
| Category | Description |
|---|---|
| API Keys | The keys for interacting with the HiddenLayer API. |
| Audit | The user activity in the Console is recorded in the audit log. |
| Detections | A Detection is a grouping of convictions, which are malicious events. |
| Inference | An Inference is the process where a model makes predictions or draws conclusions from new data. |
| Integrations | Integrations with third-party tools, like Azure ML and Azure Sentinel. |
| Model Inventory | The Model Inventory is for model scans. |
| Model Scanner | The permissions for the Model Scanner CLI when deployed in Hybrid Mode. |
| Users | Users who have access to the HiddenLayer Console. |
When creating an API key, users should only be given access to what is required (principle of least privilege). The following table contains the API permissions needed to perform certain tasks.
| Page | Action | API Permission |
|---|---|---|
| Audit | Read | Audit Log: Read |
| Model Inventory | View | Model Inventory: Read |
| Delete Model | Model Inventory: Delete | |
| Upload | Model Inventory: Write | |
| Community | Model Inventory: Write | |
| Model Details | View | Model Inventory: Read |
| Detections | List | Detections: Read |
| View Details | Detections: Read | |
| Add Note | Detections: Write | |
| Close Detection | Detections: Write | |
| Review Inferences (Model Details and AIDR) | View | Inferences: Read |
| Admin Settings - Users | View | Users: Read |
| Create User | Users: Write | |
| Edit User | Users: Write | |
| Delete User | Users: Delete | |
| Admin Settings - API Keys | View | API Keys: Read |
| Create API Key | API Keys: Write | |
| Delete API Key | API Keys: Delete | |
| Admin Settings - SSO Providers | View | Integrations: Read |
| Create | Integrations: Write | |
| Configure | Integrations: Write | |
| Enable | Integrations: Write | |
| Disable | Integrations: Write | |
| Delete | Integrations: Delete | |
| Admin Settings - Integrations | View | Integrations: Read |
| Azure ML | Integrations: Write | |
| Sentinel | Integrations: Write | |
| LLM Sandbox | Prompt | Inferences: Write Model Inventory: Write |
| Rulesets | Use Default Ruleset in AIDR deployment | Ruleset: Read |
| Projects | Use Project and Ruleset in AIDR deployment | Projects: Read Ruleset: Read |
Some HiddenLayer products require an API key and secret. The following table covers the API Permissions needed for a product deployment.
| Product | API Permission | Notes |
|---|---|---|
| AI Detection & Response Generative |
| Permissions needed for AIDR Generative. |
| Automated Red Teaming |
| Only requires an API client ID and secret that are not expired. |
| Interactions (SaaS) |
| Only requires an API client ID and secret that are not expired. |
| Model Scanner CLI Hybrid Mode |
| Permissions needed for Model Scanner CLI deployed in Hybrid Mode, including Community Scan. Hybrid Mode sends scan results to the AISec Platform. |
| Model Scanner GitHub Action |
| These are the only permissions required to scan models using the GitHub Action integration (including Community Scan). No additional permissions are needed. |
| Model Scanner Azure DevOps Plugin |
| These are the only permissions required to scan models using the Azure DevOps plugin (including Community Scan). No additional permissions are needed. |
| Prompt Analyzer (SaaS) |
| Only requires an API client ID and secret that are not expired. |