An access key consists of an access key id and a secret key, which are used as credentials in the authentication process. Both are randomly generated strings and cannot be changed. It is possible to create as many access keys as you need for your services. The state of the keys can be freely changed between active and inactive. If keys are no longer needed, they can be deleted. A deleted access key cannot be revived.
A policy can be assigned to each key. Assigning a policy to a key is optional – if there is no policy assigned, the default is to allow everything. We recommend to always protect your access keys with a policy that only allows features needed by your application.
Access keys can be created and managed in the timeanddate.com API services customization pages.
For security reasons, keys should be changed on a regular basis (an appropriate frequency would be 90 days) – this can be done with the following steps without interrupting your service:
- Create a new access key and assign the same policy as currently assigned for the key that should be canceled. Leave the original key activated.
- Update your applications to use the new set of credentials.
- Change the state of the original access key to inactive.
- Confirm that all of your applications are still working well. If needed, you can still revert to the previous state by setting the original access key back to active.
- Delete the original access key.