An interactive web UI for managing API access — issuing and rotating credentials, scoping projects, enabling features, and inspecting usage and billing. The console is the operational surface of an API, distinct from the developer portal (informational) and the marketing website (promotional). For cloud-style providers the console is often the dominant consumer surface and the primary trust boundary.

Also known as: API Console, Developer Console, Admin Console, Management Console, Dashboard

Example

- type: Console
  url: https://console.example.com/

Standards

• IETF OAuth 2.0 (RFC 6749)
• IETF (draft) OAuth 2.1 (draft)
• OpenID Foundation OpenID Connect Core 1.0
• W3C WebAuthn Level 3
• NIST NIST SP 800-63B (Authentication Assurance)

Risk & Compliance

OWASP:

• OWASP API Security Top 10: API2:2023 Broken Authentication — consoles concentrate credential operations and are high-value targets.
• OWASP API Security Top 10: API5:2023 Broken Function Level Authorization — admin-only console actions must not be reachable by lower-tier roles.

Compliance:

• SOC 2 CC6.1 — logical access controls cover the console as a privileged interface.
• PCI DSS v4 Req. 8 — strong authentication required for console access to cardholder environments.
• GDPR Art. 32 — appropriate technical measures including MFA on admin surfaces.

Security: The console concentrates credential issuance, rotation, and project administration into one surface. Require MFA on every account, enforce session timeouts shorter than the API key's lifetime, audit every privileged action, and never reuse the console session for API calls. Treat the console as the highest-trust tier of the platform.

Tools

• Auth0 — Hosted authentication for consoles
• Clerk — Hosted user management for app/console surfaces
• WorkOS — Enterprise SSO/SCIM for consoles
• Casbin — Authorization library for fine-grained console permissions (Apache-2.0)

Suggested Metrics

• mfa_enrollment_rate — Share of console accounts with MFA enabled — should be 100% for admin roles.
• privileged_action_audit_coverage — Share of privileged console actions that emit an audit-log entry.
• console_session_p95 — 95th-percentile console session duration — long sessions are a risk surface.
• key_rotation_rate — Share of issued API keys rotated within the documented policy interval.

Example Implementations

• AWS — Canonical cloud management console covering identity, services, and billing.
• Google Cloud — Console for project, API, and credential management across Google Cloud services.
• Stripe — Dashboard for keys, webhooks, events, payments, and billing.
• Twilio — Console for project credentials, phone numbers, and usage.

Related Properties

• Authentication
• Login
• Portal
• Security
• Rate limits

Tags

• Management
• Credentials
• Operations

All Common Properties