On This Page
In closing, here is my best advice for managing API credentials:
- Never paste a secret into your code. Never ever!
- Secure your API using OAuth 2.0 by writing your API to act as an OAuth 2.0 "Resource Server"
- Use JSON Web Tokens (JWT) as your tokens to embed additional context
- Use the token as a Bearer token with the Authorization header to prevent leaking your token in logs and caches
- Implement regular token rotation to reduce the damage from leaked keys, poor practices, honest mistakes, and disgruntled employees.
- Monitor your source code for token leaks
- Implement "channel binding" to tie your API tokens to the TLS session they are requested over