Authentication
The key to keeping everything secure.
An API key is a simple encrypted string that identifies an application without any principal. These are useful for accessing public data anonymously and are used to associate API trips with your account for quota and billing.
An API key is a long string containing upper and lower-case letters, numbers, and dashes. For example, P3lCqU6SJSKmPFWFq4Wg.n2WYh6Jsb30OcYIEN6uz.6WH0CK3-BAC4V3A-HRMV95J-9QW4FTT
🔑 Create an API Key
Only certain user roles are able to create an API key for an account. This role is determined by the Creator or Admin account. API keys are created for production or development separately by logging into the corresponding Client Console. The process is the same for both administration consoles.
To create an API key:
- Log on to the Client Console (either production or development)
- Click on the Credentials section
- Select + Create Credential
- Enter the information for the key (e.g., the name and which approved IP addresses are allowed to use the key)
- The API key created dialog box displays your newly created key
Caution: Save the API Key
Copy the newly created API key and keep it secure. This is the only time you will have access to it as API keys are not saved in the Client Console and cannot be retrieved in the future.
📂 Manage API Keys
API keys associated with the account can be managed through the Client Console in which it was created (production or development). Information about previously created keys is included in the Client Console, such as the date the key was created and part of the key is displayed (but not the whole key for security purposes). Other actions such as updating restrictions or deleting keys can also be done through the Client Console.
To add API key restrictions:
Navigate to the API→Credentials panel in the Client Console.
Select the name of an existing API key.
Enter the IP addresses to limit API key access to certain IP addresses.
Applying API key restrictions
API keys are unrestricted by default. Unrestricted keys are insecure because they can be used by anyone from anywhere. For production applications, you should set API key restrictions.
💻 Use an API Key
The API key is used in each REST API call to connect the call to the account. To use the API key, a user can pass the API key for the call as a custom header named x-api-key
.
️ Production API Keys vs Development API Keys
Production API keys must be used with the production sever URL. Similarly, deveopment API keys must be used with the development server URL. API keys only work for one or the other, but not both.
🔏 Secure API Keys
When using API keys in other applications, ensure that they are kept secure during both storage and transmission. Publicly exposing credentials can result in a user's account being compromised, which could lead to unexpected charges to that account.
To help keep API keys secure, follow these best practices:
-
Do not embed API keys directly in code.
API keys that are embedded in code can be accidentally exposed to the public. For example, you may forget to remove the keys from the code that you share. Instead of embedding your API keys in your applications, store them in environment variables or in files outside of your application's source tree. -
Do not store API keys in files inside an application's source tree.
If API keys are stored in files, keep those files outside the application's source tree to help ensure they do not end up in the source code control system. This is particularly important if a public source code management system is used, such as GitHub. -
Set up API key restrictions.
By adding restrictions, the impact of a compromised API key is reduced. -
Delete unneeded API keys to minimize exposure to attacks.
-
Change API keys periodically.
New API keys can be created through the Client Console's Credentials page. Then, update applications to use the newly-generated keys. -
Review your code before publicly releasing it.
Ensure that the code does not contain API keys or any other private information before the code is made publicly available.
Updated about 2 years ago