Our IT apps team is considering to use a “permanent API token” rather than
"per login session API token” for our internal system to obtain truck drivers
(or cargo drivers) sensitive Identification number to be sent from Self Service
Terminals (that's placed in our premises with no Internet access but these
SSTs are owned by an outsource security guard firm Certis):
I think IT apps team has issue with implementing "per session API token"
& they felt it's only a simple internal CRUD (Create Read Update Delete)
operation. Any concern with this?
If we were to use the 'permanent' token, should this token be refreshed
every 3 months (ie the token key has to be updated into the SST every
3 months & updated into our apps 3-monthly) or any other mitigations
like use firewall to restrict API calls between those few SSTs IP & our
Leakage of the NRIC / passport# is punishable by local privacy laws