An API key must be used by a single deviceAnswered

Hi,My license key generator using the Lime LM API from a Zapier seems to have recently stopped working. The error is that "An API key must be used by a single device".Has something changed over the past months that may cause this to happen. We haven't made any changes recently and it used to work fine.thank you,Ian

We made a change nearly a year ago that limits API keys to a single IP address.

The error code is described in detail here: https://wyday.com/limelm/help/api/limelm.pkey.generate/#error-codes

Thank you,I went to my settings page but don't see where i can reset the last used IP address. It just seems to be a display of the information.thanks,Ian

On the settings page for the user account to which the API key belongs youll see the last used IP address for the API key and youll see a link to reset the last used API key. Click the link.

I don't see a link - am i on the wrong page?

https://drive.google.com/open?id=17PImXwhQKUz9Fx7HRGqVBF_HxF0OEHgb

The reset link isnt visible after 24 hours... because a reset isnt necessary after 24 hours. Just use the api key again.

Ah OK - i see the problem.I am calling the API from Zapier, which uses Amazon and potentially a large range of IP addresses from my one user.The Zap i am using cannot guarantee a static IP.Is there a practical solution to this dilemma?

Hi Ian,

I don't think your going to like Wyday's response

Unfortunately Wyday have this overly protective API policy making what your trying to do (which is very very very common) impossible with Wyday API.

If Wyday could please listen to developers issues and come up with another API protection strategy (a non IP address base throttling method) that would be awesome!

RegardsSteve

Thanks Steve,

That's disappointing - yes, even upgrading to a multi-user plan won't help.As you say this must be a common problem for cloud apps.

Looks like i'm in for a re-write and change of licensing platform...regards,Ian

Hey Ian,

Zapier supports static IP addresses: https://zapier.com/help/sql-server/#is-your-database-ip-restricted

Contact them and ask them how to set it up.

Regarding this change in general, this is a security measure that is necessary to ensure your data safety and your customers data safety. I don't doubt you'll be able to find competitors to us that throw caution to the wind and have no such security protections. Hell, we have competitors who lie about making software uncrackable. So, putting your data at risk is not a big deal to these companies. (in for a penny, in for a pound).

In the near future we'll be offering the following:

#1. Setting a small number of static IP addresses (3 or 4) that an API key can be accessed from.

#2. A new customer portal software that you can manage common task from (thereby eliminating a whole class of problems that are currently solved by using API keys).

#2 is coming first. No hard date. ASAP.

At any rate, this problem already has a solution. Contact Zapier about enabling static ips.

Hi Wyatt,

Good news you're looking at relaxing your stance on static IPs but we have 5 front end servers so 3-4 IP address aren't going to work for us

CheersSteve

Hi Wyatt,

I've checkout our your suggestion for Ian but that solution seems to only apply to direct SQL connections.

CheersSteve

Contact Zapier, if they have the ability to use static IPs for some things they have the ability to do it with others.

Hi Wyatt,

I contacted Zapier and this is their response.

"We only have a static IP for our MySQL, PostgreSQL and SQL Server integrations. Everything else is from a general pool of servers from AWS's us-east-1 region. We don't have another way to lock in a specific IP -- I'm sorry for the news! Let us know if you have any questions."

CheersSteve

Hi Wyatt,

We are in a similar boat to Ian in that we use Zapier extensively.

Our plan was to use Wyday for licensing but as you can't integrate with them we will have to look elsewhere.

Having the "allowed" IP address being limited to 1 per 24 hours is ridiculous when so many cloud type services don't allow for static IP addresses.

Is this something you are looking to address? (Quite frankly 3 extra allowed IP's is not good enough)

Regards

Chris K

Answer

Hey Chris,

I've just published a blog post describing our rationale for this policy shift, how to properly implement security in your company, and what the future holds:

https://wyday.com/blog/2019/when-in-conflict-security-supersedes-usability/

Contact Zapier and tell them to fix their integration with LimeLM. If it's using variable (or a pool of) IP addresses then it's broken. It's their responsibility to fix their broken, insecure, software.

There's a reason they allow static IP address for database connections -- it's more secure. You should care about data security when storing data in any 3rd party service.

, edited

The world is changing. Apps like Shopify, Zapier, Amazon, Integrations is the way to go. Connecting LimeLM to these apps are essential in 2020. I learned this the hard way. Sometimes it’s time to recognize and update accordingly.....I’m finding after 10 years, my shopping cart is old and has ancient PHP. Moving to Shopify opened my eyes onto how much money I’m actually missing out by being old-school

@ianh

Trying to figure out a way to send a private message. Have you figured this out. I’m moving to Shopify and don’t see a dedicated Zapier for Limelm. Was this something you created yourself?