Security Guide

API Key Security

Your API key is the credential used to authenticate and authorize requests to the Pixelsuite API. Protecting your API key is critical to maintaining the security of your integration.

API Key Best Practices

1. Store Keys Securely

Never hardcode API keys in your source code. Use environment variables or secure credential management systems:

Environment Variables (Recommended)

# .env file (add to .gitignore)
PIXELSUITE_API_KEY=your_api_key_here

<?php
// PHP - Load from environment
$apiKey = getenv('PIXELSUITE_API_KEY');

// Or using $_ENV
$apiKey = $_ENV['PIXELSUITE_API_KEY'] ?? null;
?>

// Node.js - Load from environment
const apiKey = process.env.PIXELSUITE_API_KEY;

# Python - Load from environment
import os
api_key = os.getenv('PIXELSUITE_API_KEY')

Secure Credential Managers

For production environments, consider using dedicated secrets management services:

• AWS Secrets Manager - For applications hosted on AWS
• Azure Key Vault - For Microsoft Azure environments
• HashiCorp Vault - Platform-agnostic secrets management
• Docker Secrets - For containerized applications

2. Restrict API Key Access

Limit who can access your API keys:

• Store keys in secure locations with restricted file permissions (chmod 600)
• Use separate API keys for different environments (development, staging, production)
• Implement role-based access control (RBAC) for key management
• Regularly audit who has access to API keys

3. Use HTTPS Only

Always use HTTPS when making API requests to ensure encrypted communication:

# Good - HTTPS
https://api.pixelsuite.com.au/v1/client

# Bad - Never use HTTP
http://api.pixelsuite.com.au/v1/client

4. Rotate API Keys Regularly

Implement a key rotation policy:

• Rotate keys every 90 days or according to your security policy
• Rotate immediately if a key is compromised or exposed
• Use multiple keys during rotation to avoid downtime
• Document the rotation process for your team

5. Never Expose Keys in Client-Side Code

API keys should only be used in server-side code:

// ❌ BAD - Never do this in client-side JavaScript
const apiKey = 'sk_live_abc123...';  // Exposed to all users!

fetch('https://api.pixelsuite.com.au/v1/client', {
    headers: { 'Authorization': `Bearer ${apiKey}` }
});

// ✅ GOOD - Use a backend proxy instead
// Frontend (client-side)
fetch('/api/proxy/client')  // Call your backend

// Backend (server-side)
app.get('/api/proxy/client', async (req, res) => {
    const apiKey = process.env.PIXELSUITE_API_KEY;
    const response = await fetch('https://api.pixelsuite.com.au/v1/client', {
        headers: { 'Authorization': `Bearer ${apiKey}` }
    });
    res.json(await response.json());
});

What To Do If Your Key Is Compromised

If you suspect your API key has been exposed or compromised:

1. Contact Support Immediately - Notify your account manager or Pixelsuite support team
2. Revoke the Compromised Key - Disable the exposed key as soon as possible
3. Generate a New Key - Request a new API key from support
4. Update Your Applications - Deploy the new key to all systems
5. Audit API Logs - Review recent API activity for unauthorized access
6. Investigate the Breach - Determine how the key was exposed and prevent future incidents

Secure Development Practices

Version Control Security

Prevent accidental key exposure in Git repositories:

Add .env files to .gitignore

# .gitignore
.env
.env.local
.env.*.local
config/secrets.yml
credentials.json

Use .env.example for Documentation

# .env.example (safe to commit)
PIXELSUITE_API_KEY=your_api_key_here
DATABASE_URL=your_database_url_here

Check for Exposed Secrets

Use tools to scan for accidentally committed secrets:

# Install git-secrets
brew install git-secrets  # macOS
apt-get install git-secrets  # Linux

# Scan repository for secrets
git secrets --scan

# Add patterns to detect API keys
git secrets --add 'sk_live_[a-zA-Z0-9]{32,}'

Code Review Checklist

Before deploying code, verify:

• ✅ No hardcoded API keys in code
• ✅ API keys loaded from secure sources (environment variables, secrets managers)
• ✅ .env files added to .gitignore
• ✅ No API keys in log files or error messages
• ✅ HTTPS used for all API requests
• ✅ Error responses don't leak sensitive information

Network Security

IP Whitelisting

Contact support to configure IP whitelisting for enhanced security:

• Restrict API access to specific IP addresses or ranges
• Useful for server-to-server integrations
• Reduces risk of unauthorized access even if key is compromised

TLS/SSL Best Practices

Ensure secure HTTPS connections:

• Use TLS 1.2 or higher (TLS 1.0 and 1.1 are deprecated)
• Verify SSL certificates in production
• Never disable certificate verification

<?php
// PHP cURL - Verify SSL certificates
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
?>

// Node.js - Reject unauthorized certificates
const https = require('https');
https.request({
    rejectUnauthorized: true  // ✅ Good
});

Monitoring & Logging

Log API Activity

Implement logging for security monitoring:

• Log API requests with timestamps and endpoints
• Monitor for unusual patterns (spike in requests, failed authentications)
• Set up alerts for suspicious activity
• Never log API keys - redact sensitive data from logs

<?php
// Example: Secure logging
function logAPIRequest($endpoint, $statusCode) {
    $logEntry = [
        'timestamp' => date('Y-m-d H:i:s'),
        'endpoint' => $endpoint,
        'status' => $statusCode,
        // Never log the full Authorization header
        'user' => 'api_user_' . substr(hash('sha256', $apiKey), 0, 8)
    ];

    error_log(json_encode($logEntry));
}
?>

Rate Limit Monitoring

Track your API usage to detect anomalies:

• Monitor rate limit headers in responses
• Set alerts when approaching rate limits
• Unexpected rate limit hits may indicate compromised keys

Security Checklist

Use this checklist to ensure your integration is secure:

Additional Resources

Learn more about API security and integration: