For customers with integrations (which is most large customers) we create uStudio platform users that are essentially service accounts following the conventions below.
[For uStudio Internal Use Only]
Most of our enterprise customers have 1+ productized integrations (it's one of our main value propositions, after all). We don't want these integrations breaking if one individual staff member at a customer happens to leave their company, so we proactively discourage integrators from using the API token of a real live studio member.
Instead, we create a service-account user, and use that account's API token. This "user" is created by the uStudio Customer Success team to have an email address following the convention of "firstname.lastname@example.org" in order that errors (like if a video ingest fails) will be alerted to the product email alias, and we'll know which customer that might have impacted. Some examples:
- Firstname: "MyAlcon"
- Lastname: "DocUGV"
- email: email@example.com
- Firstname: "Kohl's"
- Lastname: "Upload Page"
- email: firstname.lastname@example.org
- Firstname: "MF"
- Lastname: "OCMSintegration"
- email: email@example.com
- Firstname: "Radio"
- Lastname: "Service"
- email: firstname.lastname@example.org
- Firstname: "SymIntranet"
- Lastname: "Integration"
- email: email@example.com
Note that the passwords for these service accounts are stored in the product team LastPass account.
Also note that - if somebody (including a customer contact) removes the service-account user from the studio, THE INTEGRATION WILL BREAK. At some point, it would be good for the product to allow users that are invisible, and can only be removed by uStudio Support. Until then...warn customers to be careful.
For security purposes, it's smart to hand over the API token with care, as these digits are like keys to our customer's kingdom. Best practice is to stuff the API token into a piece of video metadata for a customer's integrator to log in and grab, then delete. That way, the API token hasn't been exchanged over email, and only somebody with authentication credentials on the studio could have accessed it.