API Credentials : Best Practices

API Credentials are unique strings used for both authenticating and identifying an application communicating with Sandbox. This section describes the best practices that developers can follow to secure Sandbox API keys.

  • Storing credentials : Do not store API credentials in files that get checked into your application code repository. This is especially important if your repository is public. Review your code for any API credentials before publishing. Do not store your API credentials in your client application.

  • Rotate API Secrets periodically: It is recommended that you change your API secrets periodically just like passwords. This should be done especially when you notice any anomalies in API usage. Create a new secret and replace all occurrences of the old secret with the new one. We recommend changing keys at least once in 3 months.

  • Sharing secrets: Suggested below are guidelines around sharing API keys with people:

    • API secrets can be viewed and created by users with admin access to Sandbox.

    • When sharing secrets with non-admins, do so using a medium that is secure, has appropriate access restrictions, and is destroyed after secrets sharing. Suggested options are: a secure cloud-based document sharing service or a password manager that allows sharing over a network.

    • Do not share secrets via emails or other plaintext communication.

    • When sharing secrets with a third party for integrations, ask about their API request volumes so that your overall API rate quotas are not breached.