MicrosoftEdge-Extensions icon indicating copy to clipboard operation
MicrosoftEdge-Extensions copied to clipboard
verified publisher icon microsoft

[FeatureReq - Partner Center] It is recommended to extend the expiration time of Edge extension REST API keys

Open Xsy41 opened this issue 11 months ago • 5 comments

Is your feature request related to a problem? Please describe. When using the Microsoft Edge extension's REST API (v1.1), I found that the default expiration time for the API key was just over two months. This is inconvenient for long-term automated deployments and CI/CD integrations because API keys need to be manually regenerated and updated frequently.

Describe the solution you'd like Provide longer API key expiration times (e.g., 1 year or forever).

Describe alternatives you've considered provide an automatic renewal mechanism (such as refreshing tokens via OAuth 2.0). Added the option to customize the expiration time in the Partner Center.

Additional context

Image

Reduced development efficiency: Frequent manual API key updates increase development and operation effort. Automated interruption: If the API key is not updated in a timely manner, the CI/CD pipeline will be interrupted due to authentication failure. User experience degradation: For extensions that require long-term maintenance, frequent key management can affect the developer experience.

Xsy41 avatar Feb 14 '25 08:02 Xsy41

Hi @Xsy41, thank you for contacting us. We are looking into this and will let you know as soon as we have an update.

ManikanthMSFT avatar Feb 18 '25 03:02 ManikanthMSFT

Looking forward to your reply!❤️

Xsy41 avatar Feb 18 '25 05:02 Xsy41

Hi @Xsy41

Just to keep you informed—this feature request hasn’t been planned yet. It’s likely to be considered in the next cycle. I’ll share any updates as soon as I receive them.

Rahul-Bauri avatar Jul 30 '25 06:07 Rahul-Bauri

The 'enhanced security' of API keys with 72 day expiration (https://blogs.windows.com/msedgedev/2024/09/30/enhanced-security-for-extensions-with-new-publish-api/) is not worth the significantly worsened DX. I have automated publishing workflows in GitHub Actions (https://github.com/catppuccin/web-file-explorer-icons/blob/main/.github/workflows/release-please.yml) with the Partner Center API key in GitHub Actions Secrets, and I was surprised to find my release workflow randomly fail a month or two after using it successfully due to the API key expiring: https://github.com/catppuccin/web-file-explorer-icons/actions/runs/15123538940/job/42511098743.

This change ensures that API keys are rotated more frequently, reducing the risk of compromised credentials.

You could make the default expiration date 72 days, but at least make it configurable so those with adequate security practices aren't burdened by this limitation.

You will receive regular email notifications before your API key expires.

This quote from the September announcement post I linked earlier also appears to be false, as my organization didn't receive any notification that the token had expired.

uncenter avatar Aug 04 '25 13:08 uncenter

Hi @uncenter

Thank you for your detailed feedback and suggestions regarding the API key expiration and notification process. I’ve noted your concerns and forwarded them to our internal team for consideration in future improvements. Your input is valuable and will help guide more user-friendly enhancements.

Rahul-Bauri avatar Aug 05 '25 14:08 Rahul-Bauri