Skip to main content

Enhancing the security of Microsoft Edge extensions with the new Publish API

Written By published September 30, 2024

As part of our commitment to continuously improve our security methods and practices, we are excited to introduce changes to the Publish API for Edge extensions developers. These changes are part of the Microsoft Secure Future Initiative and are designed to enhance the security of your extensions and streamline the extension publishing process.

In this blog post, we’ll walk you through the key security capabilities introduced with the new Publish API, how it differs from the current API, and how extension developers can easily opt-in to and use the new experience.

Key security enhancements

The new Publish API delivers the following key enhancements:

  • Enhanced API key generation

    Secrets are now API keys. With the new Publish API, the API key is generated automatically by our backend services. This means that the ClientId and API Keys are regenerated for every developer, therefore enhancing security by reducing dependency on static credentials.

  • API key management

    Instead of creating and deleting secrets from the App registration, the new experience involves creating and deleting hashes of API keys in the database. This approach ensures that sensitive information is not stored directly, further enhancing security.

  • Access token URL

    The new Publish API doesn’t require sending an access token URL. The URL is now generated internally instead. Note that this change may require you to update your CI/CD pipeline configurations, but it greatly reduces the risk of exposing sensitive information.

  • API key expiration

    API keys now expire every 72 days, compared to the previous 2-year expiration period. This change ensures that API keys are rotated more frequently, reducing the risk of compromised credentials. You will receive regular email notifications before your API key expires.

Here is what the Publish API page looks like when you sign in to Partner Center. For comparison, the first screenshot below shows the current experience, and the second screenshot shows the new version:

The Publish API page in Partner Center, showing the current experience, which uses Client ID and access token URL
The current Publish API page in Partner Center
The Publish API page in Partner Center, showing the new experience, once the new Publish API has been enabled
The new Publish API page in Partner Center

Get ready for the new Publish API experience

Using the new Publish API requires some development workflow changes. Here is how to get started:

  • As a developer, you opt-in to the new API key management experience in Partner Center.
  • Next, regenerate your ClientId and secrets, which may require updates to your authentication workflows.
  • Finally, reconfigure any existing CI/CD pipelines that may be impacted by the changes to access token URL and API key.

In Partner Center, once you opt-in, you will be guided through the steps to regenerate your ClientId and API key. To learn more, see Using the REST API for updating Microsoft Edge Add-ons.

To minimize the disruption of moving to the new Publish API, we have made this an opt-in experience. This allows you to transition to the new experience at your own pace. If needed, you can also opt-out and revert to the previous experience, although we encourage everyone to transition to the new, more secure, experience as soon as possible.

The security enhancements coming with the new Publish API will help protect your extensions and improve the security of the publishing process.

If you have any questions or feedback, you can contact us by opening on issue on our GitHub repository.