Hello, I have been working on the Meraki dashboard since a few months and I am trying to configure it through the python API, which is working well. I have noticed that through those API calls I never had to give my credentials for a Meraki account. Therefore I think that anyone who manage to steal my API key can manipulate my network as he/she wants. Is there a way to secure that connexion between python API and dashboard?
Solved! Go to solution.
Your API key is your authentication to the Dashboard. Think of it as your username and password all wrapped up into a single non-comprehendable string of characters, and treat it with the same respect. I get what you are saying, but your API key is everything in the Meraki APIs at the moment. This is why you’re only ever shown it once when you generate it, never to see it again - you need to keep it secure.
Api == meraki account
The connection is https.
You can limit the API by the client IP. However this feature is still in beta and not yet available for the wide public.
You can apply for it here
I have seen this IP range limitation possibility but I wanted to know if there is any method to add an authentication process between the API request and the dashboard, so that you would need an account to communicate with the Dashboard
Your API key is your authentication to the Dashboard. Think of it as your username and password all wrapped up into a single non-comprehendable string of characters, and treat it with the same respect. I get what you are saying, but your API key is everything in the Meraki APIs at the moment. This is why you’re only ever shown it once when you generate it, never to see it again - you need to keep it secure.
@Bruce is right. To add onto this--REST APIs are stateless. You have to provide that API key with every single request.
This principle is important to understand when it comes to API security.
In REST APIs, there is no such thing as a "session" except as abstracted through the validity of the API key, or via frameworks (like the Python requests module).
Yes for sure but if someone manage to get my API key, he can push/pull trough the python API and mess up with my network, whereas he wouldn't have been able to do it through the dashboard since he would have needed to log in my meraki account first
We have added MFA to our frontend dashboard so we can limit access by function. We don't share the Meraki dashboard with anyone else