API Key Management
Proper API key management is critical for security. This guide covers best practices for storing, rotating, and monitoring your API keys.API Key Types
Secure Storage
Environment Variables
The minimum viable approach for local development:Secrets Manager (Recommended)
Use a dedicated secrets manager for production:- AWS Secrets Manager
- HashiCorp Vault
- Google Secret Manager
- Azure Key Vault
Kubernetes Secrets
For containerized deployments:Key Rotation
Rotate API keys regularly to limit exposure from potential leaks.Rotation Process
Zero-Downtime Rotation
Support multiple valid keys during rotation:Rotation Schedule
Scoped API Keys
Request API keys with minimum necessary permissions:Contact TxnCheck support to request scoped API keys with limited method access.
Monitoring API Key Usage
Track Key Usage
Alert on Anomalies
Set up alerts for:- Unusual spike in API calls
- High error rates (especially 401/403)
- Calls from unexpected IP addresses
- Usage outside business hours
Preventing Key Exposure
Git Pre-commit Hooks
Prevent accidental commits:.gitignore
Always ignore sensitive files:Secret Scanning
Enable GitHub secret scanning or use tools like:Emergency Key Revocation
If a key is compromised:Immediate Steps
- Revoke the compromised key in your TxnCheck dashboard
- Generate a new key with same permissions
- Update all services using the compromised key
- Review logs for unauthorized usage
Automation Script
Best Practices Summary
Storage
Storage
- Use secrets manager in production
- Never hardcode keys
- Different keys per environment
Rotation
Rotation
- Rotate quarterly minimum
- Immediate rotation after suspected breach
- Zero-downtime rotation process
Monitoring
Monitoring
- Track all API key usage
- Alert on anomalies
- Regular access reviews
Prevention
Prevention
- Pre-commit hooks
- Secret scanning in CI/CD
- Code review for key exposure
Related Guides
Security Overview
Complete security guide
Authentication
API authentication details
