Audit Log & Security

The Frends API Portal includes comprehensive audit logging and security features to help you maintain visibility into portal activities and ensure that your APIs are accessed securely and appropriately.

Audit Log

The API Portal maintains a detailed audit log that captures all user actions and activities within the portal. This audit log provides complete visibility into who is doing what in your portal, helping you maintain security, troubleshoot issues, and understand usage patterns.

The audit log captures actions performed by users through the portal interface, such as creating organizations, requesting access to API products, approving or declining access requests, managing tokens, inviting users, and modifying portal settings. Each log entry includes information about who performed the action, what action was taken, when it occurred, and what resources were affected.

Currently, the audit log retains all records indefinitely, giving you a complete historical record of portal activities. You can search and filter the audit log to find specific events or track the activities of particular users or organizations. This is valuable for security audits, compliance reporting, and investigating any unexpected behavior or issues.

It's important to note that the audit log captures actions taken by users clicking through the portal interface. Backend operations performed automatically by the portal system, such as token generation or Private Application creation in response to approved access requests, may be logged differently or appear in your Frends Tenant's logs rather than the portal audit log. Usage of the API Products is also logged in the Frends Tenant instead of the API Portal.

Authentication and Single Sign-On

The API Portal supports multiple authentication methods to accommodate different organizational security requirements. By default, users create accounts with an email address and password, which provides a straightforward onboarding experience.

For more stringent security requirements, API Portal Administrators can configure Single Sign-On for the API Portal. SSO integration allows users to authenticate using their corporate identity provider rather than managing separate credentials for the API Portal. This not only improves security by centralizing authentication but also enhances the user experience by reducing the number of passwords users need to remember.

SSO configuration is managed at the portal level by API Portal Administrators, meaning it applies to all users across all organizations in the portal. When SSO is configured, it's provided as an additional login option alongside the traditional email and password authentication. This means users from your own organization can choose to log in using SSO while external users or customers can still log in with their email and password, giving flexibility to accommodate different user preferences and organizational policies.

Only API Portal Administrators have the permissions to configure and manage SSO settings. This ensures that the authentication mechanism for the portal is controlled centrally and configured correctly to integrate with your organization's identity infrastructure.

For users authenticating with email and password, password management is available through the profile menu. Users can change their passwords at any time, and password reset flows are available if they forget their credentials.

Token Security and Management

Security in the API Portal revolves around proper token management. Each token generated by the portal is specific to an organization and an API Product, containing claims that identify both. This scoped approach ensures that tokens can only be used to access the specific API operations they were issued for.

Tokens are stored securely within the portal and are only displayed to authorized users within the organization they belong to. Organization administrators and members can view and copy tokens from their organization settings, but tokens for other organizations remain hidden and inaccessible.

The portal provides several security controls for managing tokens. Organization administrators can revoke tokens at any time, immediately preventing any further API calls using that token. This is critical when a token may have been compromised or when an integration is being decommissioned. Tokens can also be refreshed to generate a new token value while maintaining the same access permissions, which is useful for regular credential rotation as part of security best practices.

When a token is revoked or refreshed, any applications or integrations using the old token will immediately lose access. This means you need to coordinate token changes with your development teams to ensure applications are updated with new tokens to avoid service disruptions.

Private Application Integration

Behind the scenes, the API Portal leverages Frends Private Applications to manage authentication between portal users and your Frends APIs. When an organization is created in the portal and receives access to API products, the portal automatically creates a corresponding Private Application in your Frends tenant.

Each organization maps to exactly one Private Application, providing a consistent identity for that organization across all their API subscriptions. When tokens are generated for API products, they are issued by this Private Application and contain the necessary claims for authentication and authorization.

This integration happens automatically through the Frends Platform API. The portal uses specific API endpoints designed for managing Private Applications and tokens, and these operations are restricted to only creating new resources. The portal cannot modify or delete Private Applications or tokens that were created manually or by other systems, ensuring that your existing authentication configurations remain safe.