API Key Security
Storage
Use environment variables - Never hardcode API keys
Use secrets managers for production deployments
- AWS Secrets Manager
- Google Secret Manager
- HashiCorp Vault
- Azure Key Vault
.gitignore:
Key Rotation
API keys expire after 1-90 days. Implement rotation:- Create new key before the old one expires
- Deploy with the new key
- Old key automatically expires
Key Isolation
Use separate API keys for:
This limits blast radius if a key is compromised.
Webhook Security
Use HTTPS
Always use HTTPS endpoints for webhooks:Validate Payloads
Verify webhook payloads before processing:Prevent Replay Attacks
Use timestamps and idempotency:Data Handling
Minimize Data Exposure
Only request and store data you need:Sanitize User Input
Validate and sanitize data before using:Protect PII
Handle personally identifiable information carefully:- Encrypt at rest
- Encrypt in transit (HTTPS)
- Implement access controls
- Log access to sensitive data
- Follow data retention policies
Logging
Do Log
- Request timestamps
- Response status codes
- Error messages (without sensitive data)
- Rate limit warnings
Don’t Log
- API keys
- Full request bodies with PII
- Webhook payloads with customer data
Server Security
Keep Dependencies Updated
Regularly update your dependencies:Use Security Headers
Protect your webhook endpoints:Rate Limit Your Endpoints
Protect against abuse:Incident Response
If you suspect a key is compromised:- Immediately revoke the key in the dashboard
- Create a new key and update your application
- Review logs for unauthorized access
- Audit what data may have been accessed
- Notify affected users if required
Security Checklist
API keys stored in environment variables or secrets manager
API keys never committed to version control
Separate keys for development and production
Key rotation before expiration
HTTPS for all webhook endpoints
Webhook payload validation
No sensitive data in logs
Dependencies regularly updated
Security headers configured
Rate limiting on your endpoints