About API keys when using the curl command

Oh hey look, 90% of my reply got eaten. I guess lets try that again with less formatting.

The answer to your question is it depends on if you're using API Key liftetime or not. Out of the box you wouldn't be, which means none of the previously generated API keys are being invalidated and you can utilize the previously generated keys for as long as you want. You can actually utilize the same API across multiple devices assuming that the username, password, and master key are the same across the devices without having gone through the key generation process at all.

Out of the box this works more like phash value than a traditional API key. The way that you would ensure that you have invalidated previously generated API keys would be by changing the user's password which would invalidate all of the API keys. 

When you setup API key lifetime simply regenerating the API key still doesn't invalidate previously generated keys, but they would invalidate themselves depending on what you have the lifetime minutes set to. You also gain the ability to utilize the 'Expire All API Keys' option available under Device -> Setup -> Management -> Authentication Settings to immediately expire all of the previously generated keys in the event that you have privileged employee turnover or expect a key has been compromised without changing the user's password (although that would likely be a good idea anyways). 

I would recommend using something like Hashicorp Vault if you do a lot of scripting against the API so that you can store the key (whether using key lifetime or not) and only have a single location to update all of your keys when you rotate them. This way you aren't storing credentials directly within scripts and you don't have a heavy overhead to maintaining keys.

If you want to use the same API key across multiple devices, you would need to keep the default setup and just be careful about who has access to the key and what permissions you are granting said associated user. Once you put key lifetime in place that capability goes away and you would need to have a key per device.

If you're just trying to utilize it in automation of some sort and want it to be stable so it isn't changing, than I would kind of question the intent behind that. You can automate against something like Vault to facilitate automatic key rotation if you're doing lifetime on your keys, or you could have a schedule to have your lifetime be something like every 10 days and know that you'll need to update your key value pair for the API key within that 10 day period so they aren't staying the same. All kind of comes down to what you want to do and what your own risk appetite is for key re-use. 

@ BPry
Thanks for your reply!

I think I'm close to solving the problem.

So, is it possible to fix the API key?
Also, is there a way to set an expiration date for the API key?

@n-tomo,

You keep the same API key by ... saving it. The command that you're issuing is telling the firewall to generate an API key, so it does. If you wanted to use the same key you would need to save the key that was generated, preferably in some sort of secrets engine, so that you can use it in later scripts. 

There's not a way to set a dedicated expiration on the key, that is where lifetime comes into play. You would set the lifetime to whatever you desire so that the keys expire as necessary. Just be mindful that you can't clear a specific key early, if you ever handed out a key that you wanted to ensure could no longer be used you would expire them all.

If you detail what you're trying to achieve we may be able to help you a bit more. It seems like you have a specific use case in mind already that you're trying to work around.