API key safety
- Store keys in a secret manager (not in Git).
- Rotate keys regularly.
- Use scoped keys whenever possible.
Never put keys in the browser
API keys should only be used server-side. If you need client-side behavior, build a backend endpoint that proxies the minimal action.
Webhook security
- Verify signatures on every webhook.
- Acknowledge quickly (return
2xxfast). - Rotate webhook secrets if compromised.
Tenant isolation
If you operate multiple tenants/environments, make sure your app:
- Uses separate keys per tenant/environment
- Tags outgoing transmissions with metadata so you can correlate events