All accounts have six keys: a publishable key, a restricted key and a secret key pair for test and live mode. By default, your secret keys can be used to perform any API request without restriction. This page describes how to manage your keys in the developer section of the Speed web application.
You can create, reveal, update, roll back, or delete keys from the developer keys page.
Reveal a default API key
On the “Standard keys” page on the web application,
- Secret keys is hide for both modes after the first time you access it.
- The publishable key, however, is never hidden once it is created.
Use the steps mentioned below to reveal a secret key:
- Log into the Speed web application with appropriate credentials and follow these steps:
- Select the mode (Test or Live) for which you want to reveal the API key.
- Open the Developers > API keys > Standard keys page.
- Click the
Reveal key button. - It will automatically save it to your system.
Secret keys can also be hidden manually using the hide button right next to the key.
Generate a secret key
You can only generate secret keys for the live mode.
Follow these steps to generate them:
- Select the mode (Test or Live) for which you want to generate the API key.
- Navigate to Developers > API keys > Standard keys.
- Click on
Add Secret Key. Upon clicking theCreate Secret keybutton, Speed asks for the name and description of the key you want to generate. - After that, click the
create keybutton to generate a key. - You can create a maximum of 2 secret keys for an account. If the limit is exceeded, the ability to create a secret key is disabled.
Generate a restricted key
You can generate restricted keys for each live & test mode.
Follow these steps to generate them:
- Select the mode (Test or Live) for which you want to generate the API key.
- Navigate to Developers > API keys > Restricted Keys.
- Upon clicking the
Create Restricted keybutton, Speed asks for the name and description of the key you want to generate.- After that, select the module you want to allow to be accessed and the kind of permission (write / read), then click the
createbutton to generate a restricted key.
- After that, select the module you want to allow to be accessed and the kind of permission (write / read), then click the
- You can create a maximum of 3 secret keys for an account. If the limit is exceeded, the ability to create a restricted key is disabled.
Best practices to keep them safe
Your secret and restricted API keys can be used to make any API call on your account's behalf, such as creating payments or transferring funds or any other API whose permission is given. Hence, you should store and protect your secret API keys as you would with any other password.
Your secret and restricted API keys are valuable information, and an unintentional leak could lead to a data breach or worse outcome. For example, someone could view your data, make changes to your account, and even transfer funds as they see fit. You cannot delete the default keys associated with your account, so use a strong security strategy.
Check out these recommendations to keep your API keys secure.
- Grant access only to those who need it.
- Do not store your secret and restricted API keys on the client side.
- Do not expose unencrypted credentials in code repositories, even if they are private.
- Control access to your key using a password manager or secret management service like AWS Secret Manager. It will not only protect your keys, but also help you retrieve and manage the credentials of your entire team.
- If you think your API credentials have been compromised, keep calm and simply roll your keys. To roll a secret or restricted key, see Manage API keys.
- One common mistake is using a single secret key to access everything. The correct approach is to use restricted API keys, with each key representing specific permissions.