API Key Permissions

In order to improve security, as well as to enable client-side logging to elmah.io, we've introduced API key permissions. API keys were introduced in v3 of the elmah.io API. All requests to the API needs to send a valid API key, administered from the organization settings UI.

API keys were designed as a token, that you would need to keep secure within your organization. With new requirements like logging from JavaScript and mobile apps, we've introduced API key permissions, in order for you to publish your API key out in the open.

New API keys are limited to a permission named messages_write only:

API Key Editor

This means that the key can only write log messages and not browse your logs, create deployments, etc. If you need it, additional permissions can be enabled in the API key editor. In most cases, the messages_write permission will be sufficient to cover your logging needs.

Be aware that all existing API keys have all permissions enabled. We recommend you to go through the permissions on each of your keys and make sure that only the needed permissions are enabled. And while you are already looking at securing elmah.io, you might want to disable v2 API logging too.

For more information about API key permissions, check out the article How to configure API key permissions.

elmah.io: Error logging and Uptime Monitoring for your web apps

This blog post is brought to you by elmah.io. elmah.io is error logging, uptime monitoring, deployment tracking, and service heartbeats for your .NET and JavaScript applications. Stop relying on your users to notify you when something is wrong or dig through hundreds of megabytes of log files spread across servers. With elmah.io, we store all of your log messages, notify you through popular channels like email, Slack, and Microsoft Teams, and help you fix errors fast.

See how we can help you monitor your website for crashes Monitor your website