Protect Your Secret Key
Overview
The API Key you generate through the Developer Portal, provides programmatic access to your didimo user account. As such, you should protect it as you would a password or other sensitive information.
If your API Key is leaked, malicious entities may use it to spend your quota or even delete some of your data.
Best Practices
Do not store API keys in your code
Storing API keys in your code means you are exposing them through your version control system in plain text. Even if your repository is private and secure - this key will be transferred in an unsecured way.
Do not publish your API key with your applications
When you publish and distribute an application (such as iOS/Android/Unity/Unreal), it is possible to de-compile, extract your API key, and start spending your Didimo points. Even if you try to protect it with obfuscation or other techniques, it is possible to reverse-engineer your app and extract the API Key. Secure your key on the server.
Store your API keys on the server
Establish a secure connection from your applications to your server, through some form of client/server authentication, and then have the backend make the requests to our API.
Create a new API key if you suspect it has been compromised
As soon as you suspect an API key may have been compromised, delete it and create a new one. That can be easily done through the Developer Portal.
Updated about 3 years ago