API Security: Best Practices

API Credentials are unique strings used for both authenticating and identifying an application communicating with Sandbox. This section describes the best practices that developers can follow to secure Sandbox API keys.

  • Storing credentials: Do not store API credentials in files that get checked into your application code repository. This is especially important if your repository is public. Review your code for any API credentials before publishing. Do not store your API credentials in your client application.

  • Rotate API Secrets periodically: It is recommended that you change your API secrets periodically just like passwords. This should be done especially when you notice any anomalies in API usage. Create a new secret and replace all occurrences of the old secret with the new one. We recommend changing keys at least once in 3 months.

  • Sharing secrets: Suggested below are guidelines around sharing API keys with people:

    • API secrets can be viewed and created by users with admin access to Sandbox.
    • When sharing secrets with non-admins, do so using a medium that is secure, has appropriate access restrictions, and is destroyed after secrets sharing. Suggested options are: a secure cloud-based document sharing service or a password manager that allows sharing over a network.
    • Do not share secrets via emails or other plaintext communication.
    • When sharing secrets with a third party for integrations, ask about their API request volumes so that your overall API rate quotas are not breached.
  • Keep your Sandbox password secure
    Your password should be unique to your Sandbox account and known only to you. We recommend you to not reuse this password for multiple services or websites. You can update your password by going to your Profile and clicking on My Account.

  • Maintain the confidentiality of your API Keys
    It is unique to your account. Anyone who gets to know your API credentials can make an API request for your account. If you think your API Keys may be compromised, you can always generate a new API Secret.
    To generate a new API Secret, Click on the API key for which you wish to change the API secret. Navigate to API Key Tab and click on the reveal button at the API secret. Click on the refresh icon below the API secret to generate a new one. (Guest users cannot view API secret key)

  • Beware of phishing
    If you receive an email or SMS from us that you don't expect, then do not enter your password after clicking on the link. Generally, the phishing message might ask you to visit a link, download a file, complete a form, or open an attachment.

  • What to do if you suspect fraud
    Sandbox takes customer reports of fraudulent activity very seriously. If you think your account is compromised, or that a fraudster is actively using your account, then you should:

    • Contact Us
      If you suspect an attack, contact us immediately through email/ticket or contact the Sandbox team at [email protected]

    • Change your password
      You can block unauthorized user access by changing the password. We recommend using a strong password with uppercase, lowercase, numbers, and special characters.

    • Generate new API Secret
      Changing your password can prevent the fraudster from logging into the account, but they can still use the API if they have your API Keys. To prevent a fraudster from making an API request, you should generate a new API Secret. Anyone with the old API Secret will no longer be able to make API requests.


Did this page help you?