Skip to main content

API Key Best Practices

Best practices for managing Anton API keys, including rotation, environment separation, and preventing key exposure.

Written by Ryan O
Updated today

Overview

Your API keys are the credentials that authenticate your requests to Anton. Treating them with the same care as passwords is essential to protecting your account and your recipients' funds.

Never Expose Your Keys

The most important rule: never expose your API keys. This means:

  • Never commit keys to version control -- Do not include API keys in your source code, configuration files checked into Git, or any repository (public or private). Use a .gitignore rule to exclude .env files.

  • Never embed keys in client-side code -- API keys must not appear in browser JavaScript, mobile app code, or any code that runs on a user's device. Client-side code can always be inspected.

  • Never share keys in chat, email, or tickets -- If you need to share credentials with a team member, use your secrets manager's sharing features, not plaintext communication.

  • Never log keys -- Ensure your application's logging does not capture API keys in request headers or configuration dumps.

Use a Secrets Manager

Store API keys in a dedicated secrets management solution:

  • AWS Secrets Manager

  • GCP Secret Manager

  • HashiCorp Vault

  • Azure Key Vault

  • Environment variables (minimum acceptable approach for smaller deployments)

Your application should read the key from the secrets manager at runtime, not from a configuration file on disk.

Separate Keys by Environment

Anton provides distinct key prefixes for each environment:

  • ak_test_ -- Sandbox (development and testing)

  • ak_live_ -- Production (real money)

Create separate keys for each environment and never mix them. Using a production key in your development environment increases the risk of accidental exposure and unintended real transactions.

Rotate Keys Regularly

Key rotation limits the damage if a key is leaked. Follow this process:

  1. Create a new API key in the merchant portal

  2. Update your application to use the new key

  3. Verify the new key works correctly in production

  4. Revoke the old key

We recommend rotating keys at least quarterly, or immediately if you suspect any key may have been exposed.

Use Descriptive Key Names

When creating API keys in the merchant portal, give them descriptive names that identify their purpose (e.g., "Production API Server", "Staging CI Pipeline", "Batch Processing Service"). This makes it easy to identify which key to revoke if an issue arises.

Minimize Key Distribution

Only provision API keys to the systems and team members that genuinely need them. The fewer places a key exists, the lower the risk of exposure. Review your active keys periodically in the merchant portal and revoke any that are no longer in use.

What to Do If a Key Is Compromised

  1. Revoke the key immediately in the merchant portal under Settings > API Keys

  2. Create a new key and update your systems

  3. Review recent activity to check for any unauthorized transactions

  4. Contact Anton support at [email protected] if you observe suspicious activity

Did this answer your question?