Skip to main content

API Key Security

API keys authenticate your requests to the Pictify API. Proper key management is essential for security.

Key Types

Creating API Keys

Dashboard

  1. Go to Settings > API Keys
  2. Click Create Key
  3. Name your key (e.g., “Production Server”, “CI/CD”)
  4. Copy the key immediately - it’s only shown once

Key Properties

Each key includes:
  • Key ID - Public identifier (e.g., key_abc123)
  • Secret - The actual key value (e.g., pk_live_xyz...)
  • Name - Your description
  • Created - Creation timestamp
  • Last Used - Last API call timestamp

Storing Keys Securely

Environment Variables

The recommended approach for most applications:
Never commit API keys to version control. Add .env to your .gitignore.

Secrets Managers

For production environments, use a secrets manager:

AWS Secrets Manager

Google Secret Manager

HashiCorp Vault

Kubernetes Secrets

Key Rotation

Regularly rotate API keys to limit exposure from potential leaks.

Rotation Process

  1. Create new key - Generate a new API key in the dashboard
  2. Update applications - Deploy the new key to all services
  3. Verify - Confirm all services are using the new key
  4. Revoke old key - Delete the old key from the dashboard

Zero-Downtime Rotation

For production systems, use overlapping validity:

Access Control

Principle of Least Privilege

Create separate keys for different purposes:

Team Access

  • Limit who can create keys - Only admins should create production keys
  • Audit key usage - Monitor which keys are being used
  • Remove departed employees - Revoke keys when team members leave

Monitoring & Auditing

Track Key Usage

Monitor your API usage in the dashboard:
  • Requests per key
  • Error rates
  • Last used timestamp
  • Geographic distribution

Set Up Alerts

Configure alerts for suspicious activity:
  • Sudden spike in requests
  • Requests from unexpected locations
  • High error rates
  • Usage outside business hours

Audit Logs

Review audit logs regularly:

Handling Compromised Keys

If you suspect a key has been compromised:

Immediate Actions

  1. Revoke immediately - Delete the key in the dashboard
  2. Create new key - Generate a replacement
  3. Update services - Deploy the new key
  4. Review logs - Check for unauthorized usage

Investigation

  1. Identify scope - What data could have been accessed?
  2. Check usage - Review API logs for suspicious activity
  3. Determine source - How was the key exposed?
  4. Prevent recurrence - Implement safeguards

Security Checklist

  • API keys stored in environment variables or secrets manager
  • .env files excluded from version control
  • Separate keys for production and development
  • Keys rotated regularly (at least annually)
  • Unused keys revoked
  • API usage monitored for anomalies
  • Access to key creation restricted
  • Incident response plan documented

Common Mistakes

Hardcoding Keys

Committing Keys

Sharing Keys in Chat

Using Production Keys in Development