Both the Access Key and the Shared Access Signature (SAS) Token provide secure authentication and authorization for Azure. The choice between them depends on which method best fits your specific requirements. We recommend consulting your security team to determine the method that suits your needs.

In general, the Access Key provides global, root-level permissions to your Azure Blob. It should be the preferred method when your Blob is used solely by Files.com and does not need to share access with other users or solutions.

On the other hand, the Shared Access Signature (SAS) Token offers restricted, user-specific permissions to your Azure Blob. It is the preferred option when your Blob needs to be accessed by multiple users or solutions. The SAS Token allows more granular control over access, enabling you to limit permissions to specific parts of your Blob and better segregate data access.

Regardless of whether you choose the Access Key or the SAS Token, it must be long-lived. A long-lived key or token does not have an expiration date and must be manually revoked or expired when no longer needed. This ensures that your integrations remain functional until you explicitly revoke access.

If you choose to implement an expiration date for a SAS Token, we strongly recommend specifying a duration that matches the expected lifetime of the business process for which the integration is used. The default duration of a SAS Token, when created in the Azure Portal, is only 8 hours which is far too short for a business integration duration. For example, if you are using a SAS Token for a business process with a vendor with whom you will transact for one year, you should set the expiration date to be no shorter than that timeframe.

It’s important to note that all connections and functionality to Azure will cease to work once the key or token expires or is revoked. Expired or revoked keys and tokens will cause Remote Syncs, automations, uploads, downloads, and Remote Mounts to fail. Ensure these features are configured to only operate while the key or token is valid.

Any uploads, syncs, or automations in progress will fail if the key or token expires or is revoked. Files being uploaded will not be partially delivered and must be re-uploaded from the beginning once the key or token is replaced. Syncs and automations in progress will show a status of Partial failure, indicating that some files were successfully delivered before the key or token expired or was revoked. Depending on the configuration, syncs and automations may continue to trigger and will continue to fail until the key or token is replaced.

If a key or token is rotated, revoked, or expired, and you need to restore access to Azure, you will need to replace the key or token with a new one. Update the Remote Server with the new key or token to re-establish access to your Azure Blob.

Do not use keys or tokens with expiration dates unless you are prepared for the downtime at the expiration time and are willing to manually replace the key or token each time it expires.

If you're unsure, we recommend using a long-lived Shared Access Signature (SAS) Token because it provides more granular security controls.