U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

New Developer Team App and Key Rotation Policies: For more information, see article Developer Teams and Developer Team Apps and API Key Management Policy

  1. Home

API Key Management Policy

1.0 Purpose

This policy outlines the management of API keys issued by the USCIS Torch API Program to ensure secure access to APIs, minimizing the risk of unauthorized access or misuses.

2.0 Scope

This policy applies to all API consumers  who have access to USCIS Torch APIs in Sandbox and Production environments.

3.0 Key Management Procedures

3.1 Good API Key Hygiene

The following was prepared in support of our Terms of Use. [Section A Use 1. Online Account Holders]

  • Always use environment variables to store keys securely.
  • Avoid sharing API keys in public repositories, email or other communication channels.
  • API keys shared across multiple developers must use Developer Teams and Developer Teams Apps to ensure keys are shared securely.
  • Limit permissions associated to your API keys to persons or systems with a business need.
  • Follow our API Key Management policies (this document).

3.2 Key Rotation Policy

  • API keys must be rotated every 90 days
  • API keys should be rotated if there is any indication of compromise

3.3 Frequency and Schedule

We will automatically set expiration dates and issue new keys. API keys will be made available in the USCIS Torch API Developer Portal. Consumers are required to anticipate these periodic key rotations by replacing their old API keys with new keys to avoid any service disruptions.

  • API keys will be automatically rotated based on a scheduled policy every 90 days.
  • Multiple Notifications will be sent following the  3.7 Communications and Schedules section

3.4 Grace Periods

  • 14-day grace periods will be allowed for vendors to transition to the new API keys after rotation.
  • Both old and new API keys may be active during this period.

3.5 Inactive API Key Policy

  • API Keys that have not been used within 90 days will receive an email 7 days prior to the 90 day inactivity threshold.
  • Third-party vendors will have a 14-day grace period to reinstate their API keys to an active status by sending API traffic.
    • During the grace period, if a consumer:
      • sends traffic, the API key will be updated to an active status, avoiding revocation.
      • fails to send traffic within the first 7 days, we will send a final warning notification.
      • fails to send traffic within the full 14-day grace period, API keys will be revoked.
  • Third-party vendors can request new API keys 30 days from the date their API keys were revoked.
  • Third-party vendors must demo their application to USCIS Torch following the existing demo procedures.

3.6 Revocation Policy

  • API keys are revoked when traffic is not detected from the API key within the 90 day period of the key's lifecycle.
  • We will communicate warnings via email and will provide you with a 14-day grace period to send traffic to maintain an active key status.
  • Failure to send traffic will result in API key revocation.
  • If you successfully send traffic during our grace period, we will rotate your existing keys to new keys. You must continue to rotate your keys per our API key rotation policy.
  • API keys can be immediately revoked if compromise is suspected or upon user request. 

3.7 Communication Policy

  • Notifications regarding key management will be communicated through [email protected].   Support requests or questions should be directed to [email protected].
  • USCIS will use the email address listed as the Primary Contact on the Developer Portal Attestation Form, submitted by third-party vendors during the App Demo Process.
    • USCIS will also contact the email address associated to the Developer App if it differs from the Primary Contact provided in the Attestation.
    • Additionally, vendors using a Developer Team App will be contacted using the email address associated to the Administrator of the Developer Team.   

Name

Description

Trigger

API Key Rotation Communications

Key Rotation NotificationEmail notification when API key is 83-days old. This email will notify the consumer of the upcoming rotation and how to access their new keys.

If Developers App shows active traffic:

  • Notify the user 7-days before the 90-day expiration
Grace Period NotificationEmail notification when the API key is 90-days old and has entered its 14-day grace period. 

If Developer App shows active traffic:

  • Notify the user on the 90th day informing them of the 14-day grace period.
Key Expired NotificationEmail notification when the API key is 104-days old and has expired. Grace period has also expired

If Developer App shows active traffic: 

  • Notify the user on the 104th day informing them their keys are expired. 

 

Inactive API Key Communications

Inactive Key NotificationEmail notification when API key is 83-days old. This email will confirm if there was any API traffic during the 83-days. If there is no traffic, we will request the user to send traffic towards the API to maintain access.

If Developer app is idle, does not show traffic:

  • Notify the user 7-days before the 90-expiration
Warning NotificationEmail notification when API key is 97-days old. This warning email will confirm if there was any API traffic during the 97-days. If there is no traffic, we will request the user to send traffic towards the API to maintain access.

If Developer app remains idle, does not show traffic at 97-days:

  • Notify the user on the 97th day
Revocation NoticeEmail notification when API key is 104-days old. This email will confirm if there was any API traffic during the 104-days. If there is no traffic, we will inform the user their keys are revoked and provide steps on how to reinstate their keys.

If Developer app remains idle, does not show traffic at 104-days:

  • Notify the use on the 104th day

 

4.0 Compliance and Enforcement

Non-compliance with these policies may result in adverse action, including termination of access or deletion of your USCIS Torch AP Developer Portal account. 

5.0 Review and Revision

This policy will be reviewed and updated as necessary to incorporate new security practices and compliance requirements. 

6.0 Acknowledgements

I acknowledge that I have read the API Key Management Policies and understand and will comply with them. I agree to abide by these policies and understand that if I do not accept them, I am not eligible to access or use USCIS APIs made available on the USCIS Torch API Developer Portal. I understand that any violation of these policies and any criminal activity will result in immediate suspension and or termination of my access to and use of USCIS Torch APIs and that I may be subject to administrative or civil action as allowed by law or criminal prosecution. 

  • I will cooperate willingly with DHS or USCIS on any investigation of any privacy, security, or cyber incidents and, if directed by DHS or USCIS, I will voluntarily relinquish all access to and use of USCIS online electronic immigration system during the period of investigation and/or law enforcement action in response to such incidents. [Terms of Use, D. Incident Reporting]
  • If my online account or developer app keys have been compromised in any way, I will notify USCIS immediately, by either calling the Contact Center at 800-375-5283 or sending USCIS an electronic message as instructed on the uscis.gov website. [Terms of Use, D. Incident Reporting]