Summary

Currently Zabbix does not provide a way of generating and managing standalone API Auth tokens. Any 3rd party application that uses API must call 'user.login', it is not good for the following reasons:

• user name and clear text password must be stored on client side
• no Auth token management, it is impossible to see full list of active tokens, also no way to revoke a token

Аcceptance

1. Any Zabbix user having enough permissions may create one or more API Auth tokens

1. 1. User settings and user editing forms will have access to a list of tokens assigned to this user
   2. Each token will have the following attributes:
      1. Creation time: date and time when the token was created
      2. Expiration time: optional expiration date and time. Token cannot be used after expiration time
      3. Creator: user who created this token
      4. Name: non-unique short name of the token
      5. Description: longer description of the token (optional)
      6. User: to whom this Auth token is assigned, the user to borrow permissions from
      7. Status: active, disabled
      8. Token: value of the API Auth token, visible only when a token is generated
         1. Token must be a randomly generated 32 byte string represented as 64 character HEX value
2. User roles will be extended to support another allowed action (role): Create and edit API tokens
3. List of all tokens will be available to super-administrators under Administration->General→Auth tokens
   1. Therefore super-administrators can create new, update and delete tokens created by any user
      1. Only if super-admins has permissions to "Create and edit API tokens"
4. The following operation will be supported for tokens:
   1. Create, Delete, Disable, Enable
   2. Update: only name, description and status
5. Zabbix API will be extended to support operations with tokens
   1. Same restrictions for operations as in the UI
   2. Token value is only returned on create, 'get' must not return token value
6. Access to Zabbix API methods will be possible:
   1. using user name and password authentication (as it is now)
   2. using Auth token given in the "Auth" field

Nonfunctional requirements

1. N/A

Use cases

1. I want to generate and share Zabbix API token having expiration date and limited permissions with some 3rd party
   1. I do not want to share user name and password!

Decisions made

1. No read only tokens for now. It should probably be implemented on user role level
   1. Besides Zabbix 5.2 support filtering for API methods, which is even more flexible
2. API token values are write-only