Changes Coming to ARIN’s Reg-RWS API Keys for Increased Security

Changes Coming to ARIN’s Reg-RWS API Keys for Increased Security

Starting 3 January 2023, ARIN will be making changes to the Registration RESTful Service (Reg-RWS) designed to increase our level of security and prevent bad actors from accessing or manipulating your valuable data.

Reg-RWS is a secure and efficient method for interacting with ARIN’s database and managing your registration records. Reg-RWS is convenient for repetitive, mundane tasks done in high volume with no needed human communication, such as reporting reassignments using the Shared Whois Project (SWIP).

These RESTful operations require what’s known as an application programming interface (API) key. API keys are a way of identifying and authenticating your interactions with Reg-RWS. There are some big changes for API keys coming soon; let’s take a look at what you need to know and how to prepare for the new processes and requirements.

API Key Security in ARIN Online

To follow security best practices, we will begin encrypting all of the API keys in our database. This means two important things:

  • After you create and save your key, you won’t be able to see your key in ARIN Online and, more importantly, neither will we. During the creation process, you’ll have one opportunity to download or copy the key into secure storage on your systems (i.e., into a password manager for safe keeping). Once that’s done, you will only be able to identify the key from its prefix in ARIN Online.
  • If you should lose access to your API key, you will need to deactivate the old one and create a new one. Just like passwords, we will be unable to provide it to you. We will see what you see — just the key’s prefix (e.g., API-1234).

This change will occur on 3 January 2023. From that date forward, all existing API keys will be encrypted. If you wish to copy your existing API keys into a password manager, be sure to do so by 2 January.

New, Encrypted API Keys Example

API Key Length

In the past, API keys were a unique 16-character string separated with hyphens (e.g., API-1234-ABCD-5678-E). Based on community feedback, we’ve increased the required length to 32 characters for any new keys generated. Existing 16-character keys will still work for your current automation. If you wish to take advantage of the new, longer keys, you’ll need to generate new API keys and deactivate your old ones.

Old, Unencrypted API Keys Example

Manage Your API Keys

One thing that won’t be changing is where you can manage your API keys. Create and delete keys by logging into ARIN Online and visiting Settings > Security > Manage API Keys. For additional information regarding API keys in ARIN Online, view our guide to Application Programming Interface (API) Keys.

Post written by:

Garth Dubin
Software Engineering Manager

Recent blogs categorized under: Updates

Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.


RPKI •  Grant Program •  Public Policy •  Training •  Updates •  ARIN Bits •  Fellowship Program •  Elections •  IPv6 •  Business Case for IPv6 •  Caribbean •  IPv4 •  Security •  Data Accuracy •  Internet Governance •  Tips •  Customer Feedback •  Outreach •  IRR


Connect with us on LinkedIn!