For many uses of /usr/bin/bugzilla and python-bugzilla, it's necessary to actually be logged in to a bugzilla server. Creating bugs, editing bugs, querying private data, etc.

Up until now anyone that's used the command line tool has periodically had to do a bugzilla login to refresh their authentication cache. In older bugzilla versions this was an HTTP cookie, more recently it's a bugzilla API token. Generally login calls were needed infrequently on a single machine as tokens would remain valid for a long time.

Recently, bugzilla.redhat.com received a big update to bugzilla 5.0. However with that update it seems like API tokens now expire after a week, which has necessitated lots more bugzilla login calls than I'm used to.

Thankfully with bugzilla 5.0 and later there's a better option: API keys. Here's how to to use them transparently with /usr/bin/bugzilla and all python-bugzilla library usage. Here's steps for enabling API keys with bugzilla.redhat.com, but the same process should roughly apply to other bugzilla instances too.

  • Login to the bugzilla web UI
  • Click on your email
  • Select Preferences
  • Select API Keys
  • Generate an API key with an optional comment like python-bugzilla

Afterwards the screen will look something like this (updated in June 2020):

Bugzilla web UI API key setup

MY-FAKE-KEY is not my actual key, I replaced it for demo purposes. The actual key is a long string of characters and numbers.

On bugzilla.redhat.com the key is only visible in the red box when the key is initially created; refreshing the page will only show the numeric API key ID which is not what you want. So if you missed copying that value the first time, revoke the key and create a new one.

Once you've copied your key, write a bugzillarc file like this:

$ cat ~/.config/python-bugzilla/bugzillarc
[bugzilla.redhat.com]
api_key=MY-FAKE-KEY

That's it, /usr/bin/bugzilla and python-bugzilla using tools should pick it up automagically. Note, API keys are as good as passwords in certain ways, so treat it with the same secrecy you would treat a password.