1. [    Home ](/)
2. [Guides](/guides)
3. [Security](/guides?category=30)
4. Securing Your API Integration
 
 intermediate Security      20 min       5 steps      11 min read  

# Securing Your API Integration

  A  admin  April 15, 2026  

 

 

       

 

 

 

 

 ##     Prerequisites 

Prerequisites

Working API integration. Understanding of OAuth 2.0 basics.



 

 

 

 

 

 ## On this page

  
  5 steps total 

 [    Back to top ](#main-content) 

 ## 1 — Manage Secrets Properly

Never hardcode API keys or client secrets in source code. Use a secrets manager:

- **AWS Secrets Manager** or **Parameter Store** for AWS-hosted applications
- **Azure Key Vault** for Azure-hosted applications
- **Google Secret Manager** for GCP
- **HashiCorp Vault** for on-premises or multi-cloud

\# Load at runtime, never commit to git  
export AELIX\_CLIENT\_SECRET=$(aws secretsmanager get-secret-value \\  
\--secret-id prod/aelix/client\_secret \\  
\--query SecretString --output text)

## 2 — Apply Least-Privilege Scopes

Request only the OAuth scopes your application genuinely requires. Reviewing and reducing scopes limits the blast radius if credentials are compromised:

ScopeAccess Grantedbanking:readRead account balances and detailsbanking:writeCreate and modify accountspayments:initiateInitiate payment transfersadmin:usersManage portal users (service accounts only)## 3 — Rotate Credentials Regularly

Rotate client secrets on a schedule — typically every 90 days for production workloads:

1. Generate a new client secret in the portal (the old secret remains active)
2. Deploy the new secret to your secret manager
3. Trigger a rolling deployment so all instances pick up the new value
4. Revoke the old secret from the portal once all instances are updated

## 4 — Enable Audit Logging

The Developer Portal provides an audit log of all API key usage under **Dashboard → Audit Log**. Export logs to your SIEM via the Audit Log API:

GET /v1/audit-logs?from=2025-04-01T00:00:00Z&to=2025-04-15T23:59:59Z  
Authorization: Bearer {admin\_token}

## 5 — Set Up IP Allowlisting

Restrict which IP addresses can use your API credentials via **Dashboard → Applications → IP Restrictions**. For production workloads, allow only your application server's egress IPs and NAT gateway address.



 

 

 

 ### Tags

Tags

[OAuth](/taxonomy/term/37)

[REST](/taxonomy/term/36)