Skip to main content

API Key Security Best Practices

When using API keys in the Coinbase Developer Portal, it is crucial that you take the necessary steps to securely protect your CDP API keys. Publicly exposing your credentials could result in your account being compromised and / or a loss of funds.

Here are some best practices you can follow to keep your CDP API keys secure.

1. Never embed keys directly in code

Embedding API keys in code increases the risk of accidentally exposing your keys to the public. For example, if you need to share your code, you may forget to remove the keys in your code. Instead, store your keys in environment variables or in files outside of your application source tree.

2. Never store keys inside your application's source tree

If you’re storing API keys in files, keep the files outside your application source tree to ensure your keys don’t end up in your source code control system (e.g., GitHub).

3. Restrict keys to sources that need them

Restricting your keys to only the sources that need them, reduces impact of a compromised API Key. With the allowlist feature, you can specify IPs or CIDRs that ensure API requests signed with your keys are only honored from the origins (or IPs) that you define.

Steps

  1. Click API keys on the left side navigation bar.
  2. Navigate to the API key you’d like to edit and click Manage.
  3. Click Edit Key and expand API restrictions.
  4. Add an IP or CIDR under IP whitelist and save the changes.

4. Restrict signatures to certain APIs

If you have multiple APIs enabled in your project, you should restrict usage of certain signatures (JWT tokens) to specific APIs to minimize the risk of replay attacks. You can do so by attaching the API request path as part of the signing body so that the signature can only be used for that specific API.

5. Delete unnecessary keys

If you no longer need any API keys, make sure to delete them to minimize your exposure to attack.

Steps

  1. Click API keys on the left side navigation bar.
  2. Navigate to the API key you’d like to edit and click Manage.
  3. Click Delete Key.
  4. Copy and paste the the ID associated with the key and click Delete Key to confirm.

6. Rotate keys periodically

Rotating your keys reduces the risks associated with the same key being compromised. Coinbase Developer uses asymmetric cryptography meaning that you will need to create new keys and delete the old keys to get the rotation done.

Last updated on

Was this helpful?