Hi fellow developer! Here is a list of good practises to make sure you don’t leak your API token. This list is not exclusive to common security good practises:
Store your API tokens secretively using tools like Google Secret Manager, AWS Secrets Manager, HashiCorp Vault, similar.
Never hardcore or store your API token in a private or public git repo, this can compromise access to your account.
Don't share or expose your API token on the frontend.
<aside> ⚠️ ALWAYS keep your API tokens on your backend. This is a common practise, but just wanted to stress this out just in case
Exposing your API token in your mobile or web applications, means any user will be able to access your ZooTools account, both on read and write mode, and get access to your customer data.
</aside>
On development mode, If you have multiple team members working with the ZooTools API, share your token always encrypted using a tool like 1Password.
Before going live in production, we can generate a new token that only your project admin will know and can store it secretly in whatever secrets vault you use (e.g: Google Secret Manager). If your team is small or only you have worked on the feature, you probably don’t need this.
That’s all! Happy coding 👊
<aside> 🪄 Have feedback to improve this page? Send it to [email protected]
</aside>