What are API Keys?

API keys are secrets used to authenticate to an API endpoint. They are similar to passwords, but have several key differences:

• Generated by the server and not the client

• Generally consists of a long string of random characters

• Intended to be used in scripts and automation

Common API Mistakes

API keys can easily be exposed accidentally and subsequently abused. Here are some common ways that they can be exposed:

• Insecure sharing - sharing keys in chat, documents, email, or public repositories

• Storage - committing keys in source code

• Front-end - using keys in client-side code

• HTTP - exposing keys in URLs or HTTP headers

• Code - exposing keys in website source code or debug endpoints

Protecting API Keys

Here are some general guidelines for protecting API keys:

• Safe use - authenticate with API keys via HTTPS request headers, for example X-Authorization

• Sharing - treat keys the same way you would passwords and only share them using the same methods

• Least Privilege - assign the minimum role or permissions required to the key itself, or the account the key belongs to. Avoid granting API keys blanket administrator roles with no restrictions.

• Remaining vigilant - In the event a key is compromised, reach out to [email protected] as soon as possible.

Additional Protections

The best defense is a layered one (defense in depth). Here are some additional methods to keep API keys safe:

• Restrict Network Access - if the service supports it, and your client(s) will use known/predictable addresses, restrict the key to only being used from specific IP addresses or network CIDRs/prefixes
• Separation - create a different API key for each user/service
• Prepare - have a plan in place if a key becomes compromised, e.g. how to disable/roll the key and update it on the client(s)
• Monitoring - ideally, set up alerts to notify you if the key is used from an unexpected location or to perform unexpected actions

Secure Key Storage

There are multiple methods to store keys that each have their own advantages and disadvantages.

Environment Variables

Environment variables are dynamic values stored locally on a computer. They are commonly used by developers to handle API keys securely.

Advantages

• Keys are separated from source code
• Widespread support
• Integration with CI/CD tooling

Disadvantages

• Vulnerable to exposure from misconfigured servers or logging
• No encryption without additional tooling

Configuration Management Tools

Configuration management tools such as Ansible can store, deploy, and manage API keys securely. These tools encrypt keys, only allow authorized users access, and track changes across time.

Advantages

• Encryption at rest and in transit
• Audit logs
• Key access permissions management

Disadvantages

• Operational and setup overhead
• Potential single point of failure

Secrets Manager or Dedicated Vault

Secrets Mangers or vaults such as AWS Secrets Manager are specialized tools designed for secure storage, management, and retrieval of secrets like API keys.

Advantages

• Encryption at rest and in transit
• Audit logs
• Fine-Grained Access Control
• Automatic key rotation

Disadvantages

• Possible vendor lock-in
• Additional costs from licensing, infrastructure, or cloud service fees

Final Thoughts

API keys are a useful and essential tool for modern applications and services, but protecting API keys is important as a single leaked key can lead to data loss, system compromises, high cloud costs, and/or reputation damage.

If you have additional questions please reach out to [email protected]