Best practices for managing secret API keys

Learn how to manage secret API keys and handle key leaks.

API keys are a form of account credentials, like a username and password. If bad actors obtain a secret key, they can use it to harm your organization and other parties in the Kiln ecosystem.

Kiln users own the responsibility of keeping secret API keys safe. Here are some best practices for how to do that.

Risk relative to Kiln Connect API Keys

Kiln Connect API has two main uses, facilitate complex transaction crafting and streamline reporting.

While staking with Kiln all sensitive operations are handled on-chain. Therefore if an API key is compromised or leaked there is no risk or loss of funds and alteration of your staking positions. Yet, an attacker can interact with your reporting and your organization's dashboard views.

The following is a set of good practices you may want to apply to your organization to best protect your API keys while using or sharing them.

Protecting against key leakage

Use secure key management systems (KMS) to store secret keys. When you create an API key from the Kiln Dashboard, it is only revealed once. Immediately copy the key to a KMS, which is designed to handle sensitive information with encryption and access controls. Make sure you don’t leave a copy of the key in the local file.
Grant access only to those who need it. Define a clear policy on which users have permission to create, update or read keys. Limit the access only to those who need it. Audit the access periodically to avoid excess privilege on keys.
Don’t share secret keys using insecure means. Don’t share keys in emails, chat messages, or customer support messages. Stripe never asks you for your secret API key.
Don’t store keys in source code repositories (such as GitHub). Bad actors might scan public source repositories for leaked keys. Even if the source repository is private, it could be shared with team members on their development environments.
Don’t embed secret keys in applications. Bad actors can exploit secret keys by matching a certain string pattern in the application. Avoid embedding keys in applications such as client tools, SDKs, and mobile apps.
Exercise your ability to roll your API Keys. Defining and exercising a process for rolling keys helps you understand where your keys are being used and prepares your organization in the event your API key is leaked. By having key rolling processes in place you’ll be prepared to respond to a key leak event with a minimum of impact on your business.
Regular training and updating documentation. Maintain up-to-date documentation about how to handle secret API keys within your organization and host regular training sessions to make sure best practices are followed.

Handle leaked secret API keys

If you identified a secret key leak, such as if a key is accidentally published to GitHub, immediately roll the key from Kiln Dashboard and replace your integration with the new key. If you detected abnormal behaviors without confirming that the API key is leaked, we recommended that you roll the API keys proactively while investigating the root cause in parallel.