Regenerate API keys and tokens
In the event that you believe that your API keys has been exposed, you should regenerate your API keys by following these steps:- Navigate to the developer portal’s “Projects and Apps” page.
- Click on the “Keys and tokens” icon (🗝 ) next to the relevant App.
- Click on the “Regenerate” button next to the set of keys and tokens that you would like to regenerate.
- If you would like to regenerate your Access Tokens, you must invalidate your tokens using the POST oauth/invalidate_token endpoint, then regenerate your tokens using the 3-legged OAuth flow.
- If you would like to regenerate your Bearer Token, you must invalidate your token using the POST oauth2/invalidate_token endpoint, then regenerate your token using the POST oauth2/token endpoint.
Having a central file for your secrets
Having a file such as .ENV file or any other sort of .yaml file to contain your secrets is an option that could be helpful but be sure to have a strong .gitignore file that can prevent you from accidentally committing these to a git repository.Environment variables
Writing code that utilizes environment variables might be helpful. An example of this is as follows written in Python:Source code and version control
The most common security mistakes made by developers are having API keys and tokens committed to source code in accessible version control systems like GitHub and BitBucket. Many of these code repositories are publicly accessible. This mistake is made so often in public code repositories that there are lucrative bots that scrape for API keys.- Use server environment variables. By storing API keys in environment variables, you keep them out of your code and version control. This also allows you to use different keys for different environments easily.
- Use a configuration file excluded from source control. Add the filename to your .gitignore file to exclude the file from being tracked by version control.
- If you remove the API keys from your code after you have used version control, the API keys are likely still accessible by accessing previous versions of your codebase. Regenerate your API keys, as described in the next section.
Databases
If you need to store your access tokens in a database, please keep the following in mind:- Restrict access to the database in a way such that the access tokens are only readable by the owner of the token.
- Restrict edit/write privileges to the database table for access tokens - this should be automated with the key management system.
- Encrypt access tokens before storing in any data stores.