What are API Keys?
API keys are secrets used to authenticate to an API endpoint. They are similar to passwords, but have several key differences:
Generated by the server and not the client
Generally consists of a long string of random characters
Intended to be used in scripts and automation
Common API Mistakes
API keys can easily be exposed accidentally and subsequently abused. Here are some common ways that they can be exposed:
Insecure sharing - sharing keys in chat, documents, email, or public repositories
- Storage - committing keys in source code
Front-end - using keys in client-side code
HTTP - exposing keys in URLs or HTTP headers
Code - exposing keys in website source code or debug endpoints
Protecting API Keys
Here are some general guidelines for protecting API keys:
Safe use - authenticate with API keys via HTTPS request headers, for example X-Authorization
Sharing - treat keys the same way you would passwords and only share them using the same methods
Least Privilege - assign the minimum role or permissions required to the key itself, or the account the key belongs to. Avoid granting API keys blanket administrator roles with no restrictions.
Remaining vigilant - In the event a key is compromised, reach out to [email protected] as soon as possible.
Additional Protections
The best defense is a layered one (defense in depth). Here are some additional methods to keep API keys safe:
- Restrict Network Access - if the service supports it, and your client(s) will use known/predictable addresses, restrict the key to only being used from specific IP addresses or network CIDRs/prefixes
- Separation - create a different API key for each user/service
- Prepare - have a plan in place if a key becomes compromised, e.g. how to disable/roll the key and update it on the client(s)
- Monitoring - ideally, set up alerts to notify you if the key is used from an unexpected location or to perform unexpected actions
Secure Key Storage
There are multiple methods to store keys that each have their own advantages and disadvantages.
Environment Variables
Environment variables are dynamic values stored locally on a computer. They are commonly used by developers to handle API keys securely.
Advantages
- Keys are separated from source code
- Widespread support
- Integration with CI/CD tooling
Disadvantages
- Vulnerable to exposure from misconfigured servers or logging
- No encryption without additional tooling
Configuration Management Tools
Configuration management tools such as Ansible can store, deploy, and manage API keys securely. These tools encrypt keys, only allow authorized users access, and track changes across time.
Advantages
- Encryption at rest and in transit
- Audit logs
- Key access permissions management
Disadvantages
- Operational and setup overhead
- Potential single point of failure
Secrets Manager or Dedicated Vault
Secrets Mangers or vaults such as AWS Secrets Manager are specialized tools designed for secure storage, management, and retrieval of secrets like API keys.
Advantages
- Encryption at rest and in transit
- Audit logs
- Fine-Grained Access Control
- Automatic key rotation
Disadvantages
- Possible vendor lock-in
- Additional costs from licensing, infrastructure, or cloud service fees
Final Thoughts
API keys are a useful and essential tool for modern applications and services, but protecting API keys is important as a single leaked key can lead to data loss, system compromises, high cloud costs, and/or reputation damage.
If you have additional questions please reach out to [email protected]
