Hardware-based protection of application programming interface (api) keys
US-2023153426-A1 · May 18, 2023 · US
Protecting API keys for accessing services
US12355843B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12355843-B2 |
| Application number | US-202217651908-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 22, 2022 |
| Priority date | Feb 22, 2022 |
| Publication date | Jul 8, 2025 |
| Grant date | Jul 8, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method, system, and computer program product for protecting API KEYs for accessing services in a cloud environment are disclosed. A first request for generating a virtual key for a user in an organization to access a service in a cloud environment is received. The first request includes information of the organization, an identity of the user, and information of the service. A first authentication request is sent to an identity provider of the organization based on the information of the organization and the identity of the user. In response to the first authentication being successful, an API key for the organization to access the service is determined. The virtual key for the user to access the service is generated based on the API key, the information of the organization, and the identity of the user. The virtual key is returned as a response of the first request.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, comprising: receiving, by one or more processors, a first request for generating a virtual key for a user in an organization to access a service in a cloud environment, wherein the first request comprises information of the organization, an identity of the user in the organization, and information of the service, and wherein an API key is required to access the service; sending, by the one or more processors, a first authentication request to an identity provider of the organization based on the information of the organization and the identity of the user in the organization; determining, by the one or more processors, whether the first authentication is successful; and in response to the first authentication being successful, determining, by the one or more processors, the API key for the organization to access the service by querying the API key for the organization to access the service to a storage which stores a mapping between API keys and organizations; responsive to obtaining the API key from the query, utilizing a public key to encrypt the API key, the information of the organization and the identity of the user in the organization to generate the virtual key; and returning, by the one or more processors, the virtual key as a response of the first request. 2. The method of claim 1 , the method further comprising: in response to the first authentication being unsuccessful, rejecting, by the one or more processors, the first request. 3. The method of claim 1 , wherein the virtual key is a phertext encrypted by a combination of the API key, the information of the organization and the identity of the user in the organization. 4. The method of claim 3 , the method further comprising: storing, by the one or more processors, a first mapping between the virtual key for the user and the identity of the user in the organization after generating the virtual key for the user. 5. The method of claim 4 , the method further comprising: in response to the first authentication being successful, determining, by the one or more processors, whether there is the virtual key for the user; and in response to there being the virtual key for the user based on the first mapping, returning, by the one or more processors, the virtual key as the response of the first request. 6. The method of claim 4 , the method further comprising: receiving, by the one or more processors, a second request for the user to access the service in the cloud environment, the second request comprising the virtual key for the user to access the service, decrypting, by the one or more processors, the virtual key to obtain a decrypted API key, decrypted information of the organization, and a decrypted identity of the user in the organization; sending, by the one or more processors, a second authentication request to the identity provider of the organization based on the decrypted information of the organization to authenticate the decrypted identity of the user in the organization; determining, by the one or more processors, whether the second authentication is successful; and in response to the second authentication being unsuccessful, rejecting, by the one or more processors, the second request. 7. The method of claim 6 , the method further comprising: in response to the second authentication being unsuccessful, determining, by the one or more processors, whether there is the virtual key corresponding to the decrypted identity of the user in the organization based on the first mapping; and in response to there being the virtual key corresponding to the decrypted identity of the user in the organization, withdrawing, by the one or more processors, the first mapping. 8. The method of claim 6 , the method further comprising: in response to the second authentication being successful, verifying, by the one or more processors, the decrypted API key for the user based on a second mapping between API keys and services; in response to the verifying of the decrypted API key being successful, accessing, by the one or more processors, the service; and in response to the verifying of the decrypted API key being unsuccessful, rejecting, by the one or more processors, the second request. 9. The method of claim 1 , wherein the cloud environment is a public cloud environment or a hybrid cloud environment. 10. A system, comprising: at least one processor; and a memory coupled to the at least one processor and storing instructions thereon, the instructions, when executed by the at least one processor, performing actions comprising: receiving a first request for generating a virtual key for a user in an organization to access a service in a cloud environment, wherein the first request comprises information of the organization, an identity of the user in the organization, and information of the service, and wherein an API key is required to access the service; sending a first authentication request to an identity provider of the organization based on the information of the organization and the identity of the user in the organization; determining whether the first authentication is successful; and in response to the first authentication being successful, determining the API key for the organization to access the service by querying the API key for the organization to access the service to a storage which stores a mapping between API keys and organizations; responsive to obtaining the API key from the query, utilizing a public key to encrypt the API key, the information of the organization and the identity of the user in the organization to generate the virtual key; and returning the virtual key as a response of the first request. 11. The system of claim 10 , the actions further comprising: in response to the first authentication being unsuccessful, rejecting the first request. 12. The system of claim 10 , wherein the virtual key is a ciphertext encrypted by a combination of the API key, the information of the organization and the identity of the user in the organization. 13. The system of claim 12 , the actions further comprising: receiving a second request for the user to access the service in the cloud environment, the second request comprising the virtual key for the user to access the service, decrypting the virtual key to obtain a decrypted API key, decrypted information of the organization, and a decrypted identity of the user in the organization; sending a second authentication request to the identity provider of the organization based on the decrypted information of the organization to authenticate the decrypted identity of the user in the organization; determining whether the second authentication is successful; and in response to the second authentication being unsuccessful, rejecting the second request. 14. The system of claim 13 , the actions further comprising: in response to the second authentication being successful, verifying the decrypted API key for the user based on a second mapping between API keys and services; in response to verifying of the decrypted API key being successful, accessing the service; and in response to verifying of the decrypted API key being unsuccessful, rejecting the second request. 15. The system of claim 10 , wherein the cloud environment is a public cloud environment or a hybrid cloud environment. 16. A computer program product, comprising a non-transitory computer-readable storage medium having program instructions embodied therewith, the program instructions executable by a first component with at least
Assignees
Inventors
Classifications
including means for verifying the identity or authority of a user of the system {or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials} · CPC title
Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) (network architectures or network communication protocols for key distribution in a packet data network H04L63/062) · CPC title
Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these (network architectures or network communication protocols for key exchange in a packet data network H04L63/061) · CPC title
using tickets or tokens, e.g. Kerberos (network architectures or network communication protocols for entities authentication using tickets in a packet data network H04L63/0807) · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12355843B2 cover?
- A method, system, and computer program product for protecting API KEYs for accessing services in a cloud environment are disclosed. A first request for generating a virtual key for a user in an organization to access a service in a cloud environment is received. The first request includes information of the organization, an identity of the user, and information of the service. A first authentic…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L67/133. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 08 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 11 related publications on this page (citations in our corpus or others sharing the same primary CPC).