Skip to main content

API Key Management

Proper API key management is critical for security. This guide covers best practices for storing, rotating, and monitoring your API keys.

API Key Types

Never use test keys in production or live keys in development. Each environment should have its own credentials.

Secure Storage

Environment Variables

The minimum viable approach for local development:
Use a dedicated secrets manager for production:

Kubernetes Secrets

For containerized deployments:

Key Rotation

Rotate API keys regularly to limit exposure from potential leaks.

Rotation Process

Zero-Downtime Rotation

Support multiple valid keys during rotation:

Rotation Schedule

Scoped API Keys

Request API keys with minimum necessary permissions:
Contact TxnCheck support to request scoped API keys with limited method access.

Monitoring API Key Usage

Track Key Usage

Alert on Anomalies

Set up alerts for:
  • Unusual spike in API calls
  • High error rates (especially 401/403)
  • Calls from unexpected IP addresses
  • Usage outside business hours

Preventing Key Exposure

Git Pre-commit Hooks

Prevent accidental commits:

.gitignore

Always ignore sensitive files:

Secret Scanning

Enable GitHub secret scanning or use tools like:

Emergency Key Revocation

If a key is compromised:

Immediate Steps

  1. Revoke the compromised key in your TxnCheck dashboard
  2. Generate a new key with same permissions
  3. Update all services using the compromised key
  4. Review logs for unauthorized usage

Automation Script

Best Practices Summary

  • Use secrets manager in production
  • Never hardcode keys
  • Different keys per environment
  • Rotate quarterly minimum
  • Immediate rotation after suspected breach
  • Zero-downtime rotation process
  • Track all API key usage
  • Alert on anomalies
  • Regular access reviews
  • Pre-commit hooks
  • Secret scanning in CI/CD
  • Code review for key exposure

Security Overview

Complete security guide

Authentication

API authentication details