U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  1. Home

API Key Management Policy

1.0 Purpose

This policy outlines the management of API keys issued by the USCIS Torch API Program to ensure secure access to APIs.

2.0 Scope

This policy applies to all API consumers who have access to USCIS Torch API keys in Sandbox and Production environments.

3.0 Key Management Procedures

3.1 Good API Key Hygiene

Users must comply with our Terms of Use. The security practices below are also required:

  • Always use environment variables to store keys securely.
  • Avoid sharing API keys in public repositories, email or other communication channels.
  • API access shared across multiple developers must use Developer Teams and Developer Teams Apps to ensure keys are shared securely.
  • Limit permissions associated to your API keys to persons or systems with a business need.
  • Follow our API Key Management policies (this document).

3.2 Key Rotation Policy

  • API keys must be rotated every 365 days.
  • API keys should be rotated if there is any indication of compromise.

3.3 Frequency and Schedule

API keys are available in the USCIS Torch API Developer Portal. We will automatically set expiration dates as outlined in 3.2 Key Rotation Policy. Consumers are required to replace their old API keys with new keys to avoid any service disruption.

3.4 Grace Periods

  • Consumers will have 14 days after their new key is generated to transition to the new API key.
  • Both old and new API keys will be active during this period.

3.5 New Key Generation Requirements

  • Consumers who do not send traffic during the previous 365-day period will not receive new keys at the 351-day mark.
  • API keys will be immediately revoked if compromise is suspected or upon user request. 

3.6 Communication Policy

  • Notifications regarding key management will be communicated through [email protected].   
  • Support requests or questions should be directed to [email protected].
  • USCIS will use the email address listed as the Primary Contact on the Developer Portal Attestation Form, submitted by third-party vendors during the App Demo Process.
    • USCIS will also contact the email address associated to the Developer App if it differs from the Primary Contact provided in the Attestation.
    • Developers will be contacted using the email address associated to the Administrator of the Developer Team, as well as all members of the team.   

Name

Description

Trigger

API Key Rotation Communications

Key Rotation NotificationEmail notification when API key is 344 days old. This email will notify the consumer of the upcoming rotation and how to access their new keys.

If Developer App shows active traffic:

Notify the user 21 days before the 365-day expiration

Grace Period NotificationEmail notification when the API key is 351 days old and has entered its 14-day grace period. 

If Developer App shows active traffic:

Notify the user on the 351st day informing them of the 14-day grace period.

Key Expired NotificationEmail notification when the API key is 365 days old and has expired, and the grace period has also expired.

If Developer App shows active traffic: 

Notify the user on the 365th day informing them their keys are expired.  

 

4.0 Compliance and Enforcement

Non-compliance with these policies may result in adverse action, including termination of your USCIS Torch API Developer Portal account and access. 

5.0 Review and Revision

This policy will be reviewed and updated as necessary to incorporate new security practices and compliance requirements.