I’m curious on the best practices for when to leverage the Org JWT vs a User-Generated API key.
The Org JWT appears to grant owner level permission for each organization while user generated API has more granular permission control.
when integrating my application as a front end to interface with LC is there any best practices when to use one method over the other?
Hello, the permissions you can set in Org API Keys is the same as User API Keys.
The main difference is that the User API Keys will effectively impersonate the user at the API key level and will provide access to all the orgs with all the permissions the user has access to.
So usually Org API Keys are slightly more safe since if they leak they have a small blast radius.
Where User API Keys are useful is when you want to more easily perform operations across a large number of organizations without managing too many individual keys.
It’s a common pattern for service providers running operations at scale to use a Root User, that nobody can log into, that is the creator of all the Orgs that get created. That user applies the configs to all the new orgs. It allows the MSSP to track more easily created orgs and do infrastructure as code across the board.
Hope that helps
Cheers
Maxime
A JWT is a temporary access token, it will expire after 1h by default.
In this case it’s a convenience copy-paste of the current user-based token. In general you will want an API Key which will enable you to get a JWT to use with the API.
Take a look at the doc here, it should help explain it: API Keys
If you use the SDKs (Go and Python), it will take care of getting the JWTs using an API key, renewal of the JWTs etc.
