Key storage & rotation
- Store keys in server-side secrets or environment variables; never ship to the client.
- Rotate keys quarterly or on incident; alert when a key is used from a new ASN/region.
Least privilege
Scope keys to specific services where possible and segment workload API keys per app/environment.
Secure transport
- Enforce HTTPS and HSTS on your domain; refuse requests over plain HTTP.
- Pin allowed origins for browser apps; never expose raw keys in JS.
Abuse prevention
- Rate limit per IP and API key at your edge; add CAPTCHA to public forms that trigger API calls.
- Detect spikes with rolling windows and alerting; automatically pause suspicious keys.
Audit & monitoring
- Log user, endpoint, status, latency, and points used. Keep 30–90 days.
- Set anomaly alerts: >5% error rate, p95 latency > 1s, unexpected region.
FAQ
Is it safe to call ApiNest from the browser?
Use a lightweight backend proxy so keys stay server-side. For public demo endpoints, use temporary keys.
How do I rotate without downtime?
Ship dual-key support: accept new key while old remains valid, then revoke the old key after rollout.