Securing Your API Integration
Prerequisites
Working API integration. Understanding of OAuth 2.0 basics.
1 — Manage Secrets Properly
Never hardcode API keys or client secrets in source code. Use a secrets manager:
- AWS Secrets Manager or Parameter Store for AWS-hosted applications
- Azure Key Vault for Azure-hosted applications
- Google Secret Manager for GCP
- HashiCorp Vault for on-premises or multi-cloud
# Load at runtime, never commit to git
export AELIX_CLIENT_SECRET=$(aws secretsmanager get-secret-value \
--secret-id prod/aelix/client_secret \
--query SecretString --output text)
2 — Apply Least-Privilege Scopes
Request only the OAuth scopes your application genuinely requires. Reviewing and reducing scopes limits the blast radius if credentials are compromised:
| Scope | Access Granted |
|---|---|
| banking:read | Read account balances and details |
| banking:write | Create and modify accounts |
| payments:initiate | Initiate payment transfers |
| admin:users | Manage portal users (service accounts only) |
3 — Rotate Credentials Regularly
Rotate client secrets on a schedule — typically every 90 days for production workloads:
- Generate a new client secret in the portal (the old secret remains active)
- Deploy the new secret to your secret manager
- Trigger a rolling deployment so all instances pick up the new value
- Revoke the old secret from the portal once all instances are updated
4 — Enable Audit Logging
The Developer Portal provides an audit log of all API key usage under Dashboard → Audit Log. Export logs to your SIEM via the Audit Log API:
GET /v1/audit-logs?from=2025-04-01T00:00:00Z&to=2025-04-15T23:59:59Z
Authorization: Bearer {admin_token}
5 — Set Up IP Allowlisting
Restrict which IP addresses can use your API credentials via Dashboard → Applications → IP Restrictions. For production workloads, allow only your application server's egress IPs and NAT gateway address.