API Key Best Practices

API Key Best Practices

For Developers

1. Store Keys Securely

  • βœ… Store in environment variables (.env file)

  • βœ… Use secret management tools (AWS Secrets Manager, Vault)

  • ❌ Never commit keys to version control

  • ❌ Never hardcode keys in source code

  • ❌ Never share keys via email or chat

2. Use Minimal Permissions

  • βœ… Create separate keys for different applications

  • βœ… Grant only required permission scopes

  • ❌ Don’t use full-access keys for single-purpose applications

3. Rotate Keys Regularly

  • βœ… Rotate keys every 90 days (recommended)

  • βœ… Rotate immediately if key compromised

  • βœ… Test new key before revoking old key

4. Monitor Usage

  • βœ… Review API key usage regularly

  • βœ… Set up alerts for unusual activity

  • βœ… Investigate unexpected errors

5. Handle Errors Gracefully

  • βœ… Implement exponential backoff for rate limit errors

  • βœ… Log authentication failures

  • βœ… Retry failed requests with backoff

For PenguinMails Administrators

1. Enforce Security Policies

  • βœ… Require HTTPS for all API requests

  • βœ… Implement rate limiting per tier

  • βœ… Monitor for suspicious activity

2. Audit Regularly

  • βœ… Review audit logs weekly

  • βœ… Investigate anomalies

  • βœ… Revoke unused keys

3. Educate Users

  • βœ… Provide security best practices documentation

  • βœ… Send reminders for key rotation

  • βœ… Offer security training