sanctions.tr
All contentArticle

Using API keys safely

Server-side storage, scope reduction, rotation and incident response basics.

An API key is the identity of an integration. It must not appear in source repositories, browsers, support messages or logs.

Apply least privilege

Separate keys by environment and integration. Define domain, IP, source and usage policies as narrowly as possible.

Design rotation before an incident

Document how to create a new key, move traffic and revoke the previous key. Assign ownership and response time for suspected exposure.

The raw key should be shown only at creation; use a safe identifier such as the final characters afterward.