Key Management
Best practices for API key lifecycle management — creation, rotation, revocation, expiration, and environment-specific strategies.
Every OptStuff API key goes through a lifecycle: creation, active use, and eventual rotation or revocation. Managing this lifecycle well is critical for keeping your integration secure.
API Key Structure
Each API key consists of a dual-key pair:
| Component | Format | Purpose | Visibility |
|---|---|---|---|
| Public Key | pk_ + 22 characters (25 total) | Identifies requests in URLs | Viewable anytime in dashboard |
| Secret Key | sk_ + base64url | Signs URLs (HMAC-SHA256) | Shown only once at creation/rotation |
For details on how keys are used in requests, see URL Signing.
Key Lifecycle
Creation
- Create a key from the dashboard (see Quick Start)
- Configure: name and optional expiration
- Copy the secret key immediately — it cannot be retrieved later
The public key can always be viewed and copied from the API key list.
Rotation
Rotation revokes the old key and creates a new one in a single database transaction. The new key inherits all settings from the old key.
Use rotation when:
- A key may have been compromised
- Your regular rotation schedule triggers (recommended: every 90 days)
After rotation:
- Copy the new secret key
- Update your environment variables
- Deploy the change
Revocation
Revocation immediately disables a key. All subsequent requests using it will receive 401.
Use revocation when:
- A key is confirmed compromised and you don't need a replacement
- A key is no longer needed
- You want to disable access for a specific integration
Expiration
Set an optional expiration date when creating a key. After this date, the key is automatically rejected. This limits the damage window if a key is compromised and goes undetected.
Best Practices
| Practice | Why |
|---|---|
| Set expiration dates | Limits damage window if a key is compromised |
| Rotate every 90 days | Reduces long-term exposure risk |
| Use separate keys per environment | Isolates production from development/staging |
| Revoke compromised keys immediately | Stops unauthorized access instantly |
| Sign URLs server-side only | Secret key never exposed to browsers |
| Store secret keys in environment variables | Never hard-code or commit to version control |
Environment Strategy
| Environment | Recommended Setup |
|---|---|
| Development | Separate key with short expiration |
| Staging | Separate key matching production configuration |
| Production | Separate key, appropriate expiration, and monitored traffic profile (not yet available in the dashboard) |
Related Documentation
- Quick Start — How to create and manage keys in the UI
- URL Signing — How keys are used to sign requests
- Security Best Practices — Broader security context
Last updated on
Rate Limiting
How OptStuff rate limiting works — sliding window algorithm, dual-layer limits, configuration, response format, and tuning recommendations.
Security Best Practices
Defense-in-depth security overview — encrypted storage, request signing, domain whitelisting, rate limiting, and actionable recommendations.