Securing API Credentials
The keys and tokens that let your integrations connect are, in effect, passwords to your data. If they leak, someone could read or change information they should never touch, so they deserve the same care as any other sensitive secret.
This article explains how we keep these credentials safe throughout the life of an integration.
Common Risks
Most credential leaks come from a handful of avoidable mistakes.
- Keys accidentally committed into source code.
- Secrets shared over email or chat.
- Credentials with far more access than they need.
- Keys that are never changed, even after staff leave.
How We Protect Them
Good practice keeps secrets out of sight and tightly controlled.
- Store credentials in a secure secrets manager.
- Keep them out of code and out of the browser.
- Grant the least access each integration needs.
- Rotate keys regularly and after any concern.
Frequently Asked Questions
What should we do if a key is exposed?
Revoke it immediately and issue a new one. We can do this quickly and check whether any misuse occurred.
How often should keys be changed?
Regularly as a matter of routine, and always when a team member with access leaves the business.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.