Access Key vs. Shared Access Signature (SAS) Token

Both the Access Key and the Shared Access Signature (SAS) Token provide secure authentication and authorization for Azure. The right choice depends on your specific requirements. We recommend consulting your security team to determine the method that suits your needs.

The Access Key provides global, root-level permissions to your Azure Blob. It is the preferred method when your Blob is used solely by Files.com and does not need to share access with other users or solutions.

The Shared Access Signature (SAS) Token offers restricted, user-specific permissions to your Azure Blob. It is the preferred option when your Blob needs to be accessed by multiple users or solutions. The SAS Token allows more granular control over access, letting you limit permissions to specific parts of your Blob and better segregate data access.

Whichever you choose, the key or token must be long-lived. A long-lived key or token does not have an expiration date and must be manually revoked or expired when no longer needed. Your integrations remain functional until you explicitly revoke access.

If you implement an expiration date for a SAS Token, we strongly recommend a duration that matches the expected lifetime of the business process the integration supports. The default duration of a SAS Token created in the Azure Portal is only 8 hours, which is far too short for a business integration. For example, if you are using a SAS Token for a business process with a vendor you will transact with for one year, set the expiration date to be no shorter than that timeframe.

All connections and functionality to Azure cease to work once the key or token expires or is revoked. Expired or revoked keys and tokens cause Syncs, automations, uploads, downloads, and Remote Mounts to fail. Configure these features to only operate while the key or token is valid.

Any uploads, syncs, or automations in progress fail if the key or token expires or is revoked. Files being uploaded will not be partially delivered and must be re-uploaded from the beginning once the key or token is replaced. Syncs and automations in progress show a status of Partial failure, indicating that some files were successfully delivered before the key or token expired or was revoked. Depending on the configuration, syncs and automations may continue to trigger and will continue to fail until the key or token is replaced.

If a key or token is rotated, revoked, or expired, and you need to restore access to Azure, replace the key or token with a new one. Update the Remote Server with the new key or token to re-establish access to your Azure Blob.

Do not use keys or tokens with expiration dates unless you are prepared for the downtime at the expiration time and are willing to manually replace the key or token each time it expires.

If you're unsure, we recommend using a long-lived Shared Access Signature (SAS) Token because it provides more granular security controls.