API Key Security
API keys authenticate your requests to the Pictify API. Proper key management is essential for security.
Key Types
Creating API Keys
Dashboard
- Go to Settings > API Keys
- Click Create Key
- Name your key (e.g., “Production Server”, “CI/CD”)
- Copy the key immediately - it’s only shown once
Key Properties
Each key includes:
- Key ID - Public identifier (e.g.,
key_abc123)
- Secret - The actual key value (e.g.,
pk_live_xyz...)
- Name - Your description
- Created - Creation timestamp
- Last Used - Last API call timestamp
Storing Keys Securely
Environment Variables
The recommended approach for most applications:
Never commit API keys to version control. Add .env to your .gitignore.
Secrets Managers
For production environments, use a secrets manager:
AWS Secrets Manager
Google Secret Manager
HashiCorp Vault
Kubernetes Secrets
Key Rotation
Regularly rotate API keys to limit exposure from potential leaks.
Rotation Process
- Create new key - Generate a new API key in the dashboard
- Update applications - Deploy the new key to all services
- Verify - Confirm all services are using the new key
- Revoke old key - Delete the old key from the dashboard
Zero-Downtime Rotation
For production systems, use overlapping validity:
Access Control
Principle of Least Privilege
Create separate keys for different purposes:
Team Access
- Limit who can create keys - Only admins should create production keys
- Audit key usage - Monitor which keys are being used
- Remove departed employees - Revoke keys when team members leave
Monitoring & Auditing
Track Key Usage
Monitor your API usage in the dashboard:
- Requests per key
- Error rates
- Last used timestamp
- Geographic distribution
Set Up Alerts
Configure alerts for suspicious activity:
- Sudden spike in requests
- Requests from unexpected locations
- High error rates
- Usage outside business hours
Audit Logs
Review audit logs regularly:
Handling Compromised Keys
If you suspect a key has been compromised:
- Revoke immediately - Delete the key in the dashboard
- Create new key - Generate a replacement
- Update services - Deploy the new key
- Review logs - Check for unauthorized usage
Investigation
- Identify scope - What data could have been accessed?
- Check usage - Review API logs for suspicious activity
- Determine source - How was the key exposed?
- Prevent recurrence - Implement safeguards
Security Checklist
Common Mistakes
Hardcoding Keys
Committing Keys
Sharing Keys in Chat
Using Production Keys in Development