On This Page

Key Takeaways for Managing API Credentials

In closing, here is my best advice for managing API credentials:

  • Never paste a secret into your code. Never ever!
  • Secure your API using OAuth 2.0 by writing your API to act as an OAuth 2.0 "Resource Server"
  • Use JSON Web Tokens (JWT) as your tokens to embed additional context
  • Use the token as a Bearer token with the Authorization header to prevent leaking your token in logs and caches
  • Implement regular token rotation to reduce the damage from leaked keys, poor practices, honest mistakes, and disgruntled employees.
  • Monitor your source code for token leaks
  • Implement "channel binding" to tie your API tokens to the TLS session they are requested over