Manage API Keys


As an OpenLMIS administrator I need to manage API keys so that an external partner can access OpenLMIS.

  • may be assigned administrator rights (and only admin rights)

Mock Up

Acceptance Criteria:

  1. New screen to create API keys

  2. New right for an administrator with the "Manage Service Accounts" right (administrative) may access an administrator screen which allows them to manage the systems Service Accounts.

  3. Administrator will have access to view the new screen "Manage API Keys" and view, create, remove API keys.

  4. When viewing the API key table, an API key may be generated when the admin clicks "Add". A new key is generated and a confirmation message displays that the key has been generated successfully. Then the table is updated with the new API Key and the date the key was generated. The table will display all API keys, with the most recent API key at the top of the list.

  5. API Keys do not expire, the admin must click Remove to delete the API Key, and then click "Add" to create a new one.

  6. Create a test case that is linked to this ticket and label Administration


  • Admin must manually provide the new API Key to the partner, and the partner must manually request a new key (whenever needed)

  • Naming for each API key will be a future ticket. (If we have other external partners that need access)

  • API Key expiration is out of scope.

  • These accounts are not for people, but rather for other systems. Therefore they don't have: profiles, passwords, etc.

  • Service accounts may be granted administrative rights ( - removed this from the acceptance criteria unless it can be defined before starting Sprint 41. Otherwise this can be a separate ticket. -> )

is providing additional information as you begin work on this ticket:

  • key encoding use our standard token format

  • scope in RBAC

  • ttl RBAC


Paweł Albecki


Josh Zamor



Story Points


Time tracking





Fix versions