Skip to main content
Follow these practices for production integrations.

Protect secrets

  • Store API keys in a secrets manager.
  • Restrict secret access by environment and role.
  • Avoid logging full keys.

Limit blast radius

  • Use separate keys for each environment and integration.
  • Revoke compromised or unused keys immediately.

Rotate keys

  • Rotate on a fixed schedule.
  • Rotate after team or vendor access changes.
  • Test key rollover before revoking the old key.

Validate failures safely

When troubleshooting auth failures:
  • Check header format first.
  • Confirm product and endpoint access requirements.
  • Avoid sharing raw keys in tickets or chat.