API Security


Contents

API Security - What they can do, and how to create them

Developers have the ability to create cool applications for you as pilots. Ranging from simple skill trackers for personal use, to auditing tools for corporate recruitment and security, the API can be used to view a large range of information, as detailed below.

It is important to remember what keys you give to what people, and what each key can view.


The API

The API is a way for people to get data from New Eden, and use it for application development. It allows you to check your skill queue, market orders, evemails, and other interesting data from your mobile phone and other platforms, not just the EVE Client/EVE Gate.

This is done by querying a CCP-hosted website, which talks (almost) directly to the database. This means that it offers a wide set of semi-live data.

Customizable API keys - What they can and can't give.

In order to get this data from our web-server, an application needs to provide us with the following things:

  • A keyID
  • A Verification Code

With this information, programs can pull specific data from the server.

What data can be pulled depends on how the API key was created. You determine what information can be given when you create the key. This information includes:

Please note: API keys can not reveal personal information, or credit card information. They only show data that relates to your character. Players can not take control of your account with API information, or gain personal information about you.

Creating an API key

To create a new API key, go to the EVE Online support page and log in.

If you have no API keys, already made, it will take you automatically to the creation screen.

Creation Page

First thing you need to do is to enter a name for the API key. This doesn't affect the outcome of the API key, and only exists to help you tell the difference between the keys, (If you have more then one generated)

Now you need to go through the list of options and select the information you wish to give with the API key.

List of info

Note, when you select different check boxes, the "Access Mask" of the key changes.

Once you have selected the information you want, the screen should look something like this.

Selections made

Final thing to do is to select the expiry date of the key, or to tell it not to expire. To do so, click the text box, and a calendar will pop up allowing you to specify a date when they key will expire.

Api - Expiry date.png

Once you are finished, press the "Submit" button, and it will take you to a list of your API keys.

Api List.png

The text under "ID" is they keyID.

When giving out your API key, you need to give the keyID and the Verification Code. These don't change when the access maks changes, or if the expiry date changes.

Keeping your API key secure and watching for abuse

As you can see, an API key allows people to access a lot of data about all of the characters on your account. Sharing an API key can be detrimental to not only your privacy, but to your whole corporation, especially if you are sharing war-plans for your corporation through evemail, sending API keys by evemail or have secret alts on your contact list. This is why you should make sure to only give your API key to people you truly trust and keep an eye on the usage, protecting your keys is your responsibility.

Should you be interested in knowing who has accessed your API key, you are able to see this right here, where we log all requests to your API key over the last 7 days. If you find any suspicious activity, you can change your API key here, by deleting your old API key, and generating a new API key.