Security & Trust
API Keys

API Key Security

API keys provide programmatic access to Onvera. This page covers security best practices.

API Key Format

API keys have the format:

onv_sk_live_<random_token>

The token is cryptographically random and unique.

Storage

Server-Side

  • Secure storage - API keys are stored securely using industry-standard hashing
  • Never stored in plaintext - Only hashed values are stored

Client-Side

  • Store securely - Use environment variables or secret managers
  • Never commit - Don't commit keys to version control
  • Rotate regularly - Change keys every 90 days

Scope-Based Access

API keys can be scoped to limit permissions:

  • deployments:read - Read-only access to deployments
  • deployments:write - Create/update deployments
  • deployments:delete - Delete deployments
  • operations:read - Read operations
  • org:read - Read organization information

Best practice: Use the minimum required scopes.

Expiration

API keys can have expiration dates:

  • No expiration - Key is valid until revoked (default)
  • Expiration date - Key expires on specified date

Expired keys cannot be used and must be replaced.

Revocation

Revoke API keys immediately when:

  • Key is compromised
  • Key is no longer needed
  • Employee leaves organization
  • Key is rotated
⚠️

Revoked keys cannot be restored.

Rotation

Rotate API keys regularly:

  1. Create new key - Generate replacement key
  2. Update integrations - Update all systems using the key
  3. Revoke old key - Remove old key after migration
  4. Verify functionality - Ensure all integrations work

Recommended: Rotate every 90 days.

Monitoring

Monitor API key usage:

  • Audit logs - View all key usage
  • Dashboard - See key activity in dashboard
  • Alerts - Set up alerts for unusual activity

Security Best Practices

  1. Never share keys - Keep keys private
  2. Use environment variables - Don't hardcode keys
  3. Rotate regularly - Change keys every 90 days
  4. Use scoped keys - Limit permissions
  5. Monitor usage - Review audit logs
  6. Revoke unused keys - Remove keys that are no longer needed
  7. Set expiration dates - For temporary access

Related Topics

OverviewAudit Logs