API key expiration

[Sec Aficionado]

Hi all, I created an API key for personal use. I pull headlines daily and decide what to read from there. This all works great.

My concern is the key expiration. I received an email saying that GDPR requires keys to expire after 900 days unless explicitly renewed. That is fine, but the links provided in the email point to gutools.co.uk, not theguardian.com. In this age of phishing, I was very leery of clicking on those links. I went to the terms and conditions page and did not find anything about key expiration. I was not until I did a whois search and confirmed that gutools is in fact owned by the guardian that I could verify that the email was legitimate.

I don't think anyone can do nefarious things with other people's keys, except maybe get around rate limits, but it is still a bad practice to request user action when it is not very clear that the messages come directly from you and the action taken happens in your site, or a site under your control.

My suggestion is that you add a paragraph about key expiration to the terms and conditions, and perhaps a note on the domain or domains that could be included in renewal requests. Better yet, add a redirection from the guardian's site to the gutools site and then the emails would look like they came from the guardian and went to the guardian.

Thank you so much for all the work you do and for sharing it with the world.

[Guardian Open Platform API Forum]

Hi Sec,

Thank you for being a valuable user of The Guardian.

The email is sent from our end hence we confirm its legitimacy.

We understand to be very vigilant on clicking any of the links unless it seems legitimate

which indeed is the best action taken by your end to check it first.

We will look into the issue for the details in terms and conditions if we need to specify the domain we are asking users to direct to.

We will also investigate on error 403 which you mentioned when you tried the link.

To check status of your key, I would like to request your email (and not the key) that you have used when you have created the key.

Thanks for your patience

Regards,

Guardian Open Platform API Team

[Alix Fachin]

Seconded!

I intended to put a message in the forum about the very same matter!

I agree that this message sounds like phishing. What I found puzzling was that the message said that the API key was 900 days old - but I created my API key a month ago or so.

Apart from that - thanks for making this API public!

[Guardian Open Platform API Forum]

Hi,

Thank you for reporting the issue.

We are investigating and will get back to you once its sorted.

May I request your email id to check the status on your key please,

Please note don't mention your key just the email that you have used to create the key.

Thanks for your patience,

Regards,

Guardian Open Platform API Team