Overview
Alma REST APIs provide access to data and workflows stored in Alma. The Alma APIs are very robust and powerful, and allow for the creation of tools outside of Alma that can extend Alma's core functionality.
GIL Alma API policies
Recent data breaches at other USG institutions have prompted changes to data protection standards and increased GIL's awareness of potential security vulnerabilities. While Alma API keys are a very useful tool for creating helpful tools, they also can pose a security threat. Please read through this policy prior to requesting an API key from GIL Support:
GIL will no longer be distributing logins for the Developer Network except under extremely select circumstances. This policy may be subject to change if Ex Libris changes the way API Keys are managed in the Developer Network, by adding permissions features allowing for several different levels of access. There is currently a NERS request to improve this functionality. See the details of this NERS request below:
Interoperability & Integration Currently the security management of API keys is very limited. There is no way to limit or control how an API key is used besides the basic "area", "environment" and "permissions" setting. The API reports are also lacking details.
Developers interested in utilizing an Alma API key must first complete a security review for the application. To start the security review, complete the API Request form and provide basic information about the web application. GIL will contact the requester within 48 hours to arrange for security testing. Please read through the rest of this document prior to filling out the form.
If you currently have direct access to your API keys in the Developer Network, please refrain from deleting or editing existing API keys. If you need to create a new API key, please fill out the above form and work with GIL Support to add your new key. GIL needs to have a record of all applications that are interfacing with the API, and contact information for the person responsible for that key.
In cases where custom development is involved, or where write access is required, API keys will initially be configured to access the Alma sandbox. Once your application has been thoroughly tested by your developer, contact GIL Support to work with you to transition your application to production Alma.
Do not distribute API keys through email. Do not distribute API keys to student workers unless they have been approved to handle sensitive information.
Do not include API keys in source code visible via "view source" on a website, or via a publicly accessible version control system such as github.
API key usage will be monitored and unused keys will be removed on a periodic basis. Institutions will be notified prior to removal.
The Alma sandboxes contain a snapshot of all the data from the represented institution, so API keys pointing to the sandbox can be just as dangerous (in terms of privacy concerns) as keys pointing to production, and so should be treated in the same manner.
Once an API key has been assigned, the primary contact person is fully responsible for the proper usage of that key.
Please create a GIL Support ticket if you have any questions about this policy.