Generate and retrieve EdgeKV access tokens
You need an EdgeKV-specific access token to authorize an EdgeWorker ID to access data within a given namespace. This ensures that only authorized IDs gain access to the data with the proper controls. Tokens will expire, so you will need to generate a new token before an existing one expires, and update it inside your edgekv_tokens.js file. Your EdgeKV calls will fail if an expired token is not replaced.
You can create one or more EdgeKV access tokens per namespace, or create tokens that grant access to multiple namespaces. Before creating your tokens refer to the to the Product limits section to make sure you stay within the overall limit for the number of allowed tokens per account.
To create a token you need to have the EdgeKV Access Token - Create - Create a new EdgeKV Access Token permission associated with your API client.
When you create an EdgeKV access token, you must assign it a unique name. Tokens are securely stored in Akamai’s internal systems until they expire. Anyone with the EdgeKV Access Token - View- List EdgeKV Access Token permission can list tokens or use the assigned name to retrieve a token.
The token create operation will fail if you attempt to create a token with an existing name.
If you used EdgeKV in the previous availability phase, you need to generate new tokens.
Any tokens added to your EdgeWorkers code bundles during our previous availability phase must replaced with a new token. Tokens from the previous phase were revoked at the end of March 2021 for security reasons.
Access token fields
Each access token contains the following fields. Fields marked as "required" must be specified when creating a new token:
| Field | Description |
|---|---|
| Token name (Required) | The name specified in the token creation API call. We recommend that you assign a descriptive name that is unique across your entire account to identify your token. You cannot modify an access token name once it has been created. You cannot use the (-) dash character to start the name. |
| Issue date | The date the token was issued. Automatically set to the date the token was created. |
| Expiry time (Required) | The token expiration date. For this availability phase, we recommend you set it to a maximum six months from when the token was created. |
| Valid for EdgeWorker IDs (Optional) | Lists the EdgeWorker IDs allowed to access the namespace. Defaults to all. (This cannot be changed during the current availability phase.) |
| Valid on Production (Required) | Determines if namespaces can be accessed on the Akamai production network. Can be set to true or false. |
| Valid on Staging (Required) | Determines if namespaces can be accessed on the Akamai staging network. Can be set to true or false. |
| CP Code | CP code created during EdgeKV initialization. Automatically set to the CP Code created during EdgeKV iniitialization. Please make sure you do not purge content associated with this CP code to avoid degradation in your EdgeKV performance. |
| Namespace permissions (Required) | Defines the namespace-id and the corresponding enforced namespace access permissions. You can set the permissions to one or more of the following [READ (“r”), DELETE (“d”), WRITE (“r”)] to restrict access to the namespace data. |
Access tokens used by an EdgeWorker ID are stored in your local edgekv_tokens.js file, which must be included in an EdgeWorkers code bundle. You can use the administrative API or CLI to create or retrieve a token. The CLI also provides the option to update the edgekv_tokens.js file automatically, whereas using the administrative API requires the use of a separate tool to update the file.
The edgekv_access_tokens dictionary in the edgekv_tokens.js file must be updated with new token name and token value fields when those values change, such as at renewal. These fields are added under a parent key called namespace-.
For example, if we create a token named default_token for the default namespace and another called marketing_token for the marketing namespace, the contents of the file would look similar to this example:
var edgekv_access_tokens = {
"namespace-default": {
"name": "default_token",
"value": "xxx.yyy.zzz"
},
"namespace-marketing": {
"name": "marketing_token",
"value": "aaa.bbb.ccc"
}
}
export { edgekv_access_tokens };
Expiration notification
If your Control Center role includes the "EdgeKV Access Token - Create" permission or you are an escalation contact for EdgeKV, you will receive notifications in the Control Center Notification panel as a token approaches its expiration date. You will receive these notifications at defined intervals of 30 days, 7 days, and 1 day before the token expires. A notification appears for each token as it reaches each of these thresholds. When multiple tokens reach an expiration period at the same time, the notifications are bundled into a single message. A sample of a single token notification is shown below:
You might not receive a notification for all three expiration periods. Tokens created within a given expiration period may not generate a notification until the next message is sent. For example, if you create a token that expires in 7 days, you may not receive a notification until the token is due to expire in 1 day. Also note that access tokens are checked once a day. If you create a token that expires in one day and the notification has already been sent, you will not receive a notification. If you create it before the daily check you will get a notification. Tokens that expire in more than 30 days always get all 3 notifications.
You will receive the 1 day notification in an email in addition to the notification center. To receive these email notifications make sure that your account:
- is registered using your email address.
- was created from within a registered Akamai account.
- is currently active.
You can also refer to the Identity and Access Management documentation for more information about how to add an escalation contact.
Updated 9 months ago