Apigee has recently made changes to improve Basic authorization for Apigee personal accounts.
What do I need to know?
We have recently made improvements to our Basic authorization for Apigee personal accounts that may require changes for accounts that have enabled MFA (Multi-Factor Authentication).
This change affects curl and any equivalent HTTP client, including those built in to a programming language or platform.
This update will be enforced starting October 26, 2020 at 16:00 UTC at which point Basic authorization on an account with MFA will no longer be supported by the APIs.
What do I need to do?
If you aren't using tokens with the curl command:
We recommend you consider using tokens (with Bearer authorization, see our Using OAuth2 to access the Edge API documentation) or move to using machine users without MFA when calling Management Server APIs via curl commands.
We highly recommend using MFA for your personal accounts.
When using tokens with the curl command:
An access token is valid for hours after being issued; the expiration time is readable in the token payload. It is counterproductive to request a new access token for every API call. After the access token expires, the refresh token can be used for days to issue another access token, without requiring credentials. Only after the refresh token expires should you make a new token request, which would require MFA again, if enabled.
We will begin returning a HTTP 429 message [too many requests] if you request more than 30 new tokens per hour.
Our acurl and get_token utilities handle access and refresh token expiration, prompting for credentials to make token requests only when needed.
Need more information or help?
If you have any questions or require assistance, please contact Apigee Support.