On this page

    Key Takeaways for Managing API Credentials

    In closing, here is my best advice for managing API credentials:

    • Never paste a secret into your code. Never ever!
    • Secure your API using OAuth 2.0 by writing your API to act as an OAuth 2.0 "Resource Server"
    • Use JSON Web Tokens (JWT) as your tokens to embed additional context
    • Use the token as a Bearer token with the Authorization header to prevent leaking your token in logs and caches
    • Implement regular token rotation to reduce the damage from leaked keys, poor practices, honest mistakes, and disgruntled employees.
    • Monitor your source code for token leaks
    • Implement "channel binding" to tie your API tokens to the TLS session they are requested over
    Edit This Page On GitHub