Best practices for keeping your API key safe
Suspending your keyIn your account dashboard you can suspend your key at any time and replace it with a new key.
Multiple keys per accountFree-trial accounts are limited to one key at a time, but paying customers can have multiple keys. These can be created (or suspended) anytime in your account dashboard.
Please do NOT put your key in GitHubPlease do not check your key into GitHub or other public version control service. A better approach is to have your code access the key via an environment variable or command line parameter that is set at the time the software is run. The best way to do this will depend on exactly which platform you are running on and which technology you are using, but we strongly encourage you to spend a few minutes learning whatever the best practices are for your stack. Here are some examples of software for managing keys Datatree to define a policy of not allowing secret credentials into source code with automated checks at each code commit.
What happens if someone "steals" my key?If you believe someone is abusing your key please get in touch with us. One worry that potential clients sometimes raise is that someone will get their key and start using it heavily and they will face a large and unexpected bill. Fear not - that can't happen because of how our pricing works. Customers buy a month in advance, and there is no usage based charging. If we see an explosion of usage we email you and ask if it is expected and the source is known. If yes, and it will be ongoing, we ask you to move to a higher pricing tier in the future, but this never happens as a surprise. If no, we can help you work out what is going on.
IP restrictionCurrently all keys are accessible from any IP address. In early 2020 we will be launching the ability for customers (ie accounts not on the free-trial tier) to restrict use of keys to certain IP addresses.
Currently all API responses specifyIn early 2020 we will be launching the ability for customers (ie accounts not on the free-trial tier) to specify allowed origin domains