RBAC Tokens should be randomly generated

RBAC tokens can be reset to specific values by users via Kong Manager or via the Admin API in Kong Enterprise 0.36-2 (and other versions also I imagine). If you choose to reset your RBAC token to a value which is already in use the system give an error which can easily be interpreted as “that’s an existing token for someone so you can’t use that value”…

RBAC tokens should always be generated by the system and guaranteed to be unique and of suitable complexity otherwise the systems security can be compromised by a malicious user wishing to masquerade as someone else.


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ