Security Best Practices

What it is

Follow these practices to use the API securely and avoid key misuse or leakage.

Key storage

• Never commit keys to source control. Use environment variables (WHMDC_API_KEY) or a secrets manager.
• Never log keys. Mask keys in logs: show only the first 8 characters (e.g. a1b2c3d4…).
• Never put keys in URLs. Use Authorization: Bearer or X-API-Key headers only.

Scope limits (least privilege)

Create keys with the minimum permissions needed. Use clients.read instead of * for read-only integrations. Use separate keys for different environments (staging vs production).

Key rotation

Rotate keys periodically (e.g. every 90 days) via POST /api/v1/api-keys/{id}/rotate. If a key is compromised, revoke it immediately with POST /api/v1/api-keys/{id}/revoke.

Rate limiting

Respect the 100 req/60s limit. Implement exponential backoff on 429. Avoid burst traffic; spread requests over time. Cache responses where possible.

IP allowlist

For production keys, set an IP allowlist so only your servers can use the key. This limits damage if the key is leaked.

If a key is exposed

Revoke it immediately in Admin → API Keys or via POST /api/v1/api-keys/{id}/revoke. Create a new key and update your integration. Do not reuse revoked keys.