API Keys
API keys are used to authenticate requests and provide access control for Azotte's platform services.
Key Types and Permissions
Publishable Keys (Client-Safe)
- Prefix:
pk_dev_orpk_live_ - Usage: Client-side applications, mobile apps
- Permissions: Read-only access to public data
- Safe to expose: Can be included in client-side code
Secret Keys (Server-Only)
- Prefix:
sk_dev_orsk_live_ - Usage: Server-side applications, backend services
- Permissions: Full read/write access
- Must be protected: Never expose in client-side code
Key Management
Generating API Keys
- Log into the Azotte Portal
- Navigate to Developer Settings
- Click "Generate New API Key"
- Select key type and permissions
- Copy and securely store the key
Key Rotation
# Best practice: Rotate keys quarterly
# 1. Generate new key
# 2. Update applications gradually
# 3. Deactivate old key after transition
Environment Separation
# Development
AZOTTE_API_KEY: sk_dev_1234567890abcdef
AZOTTE_TENANT_ID: tenant_dev_abc123
# Production
AZOTTE_API_KEY: sk_live_9876543210fedcba
AZOTTE_TENANT_ID: tenant_prod_xyz789
Permissions and Scopes
Read Permissions
- View subscriptions
- Access customer data
- Retrieve bundles and pricing
- Read analytics data
Write Permissions
- Create subscriptions
- Modify customer information
- Process payments
- Manage campaigns
Administrative Permissions
- Manage API keys
- Configure webhooks
- Access audit logs
- Manage team members
Security Guidelines
Storage Best Practices
# ✅ Good: Environment variables
export AZOTTE_API_KEY="sk_dev_1234567890abcdef"
# ✅ Good: Secure configuration files (not in VCS)
# config/secrets.json
# ❌ Bad: Hardcoded in source code
const apiKey = "sk_dev_1234567890abcdef"; // Don't do this!
# ❌ Bad: Committed to version control
# .env files in git repositories
Access Control
- Limit key permissions to minimum required
- Use separate keys for different services
- Implement key-based rate limiting
- Monitor key usage patterns
Key Monitoring
Usage Analytics
- Request volume per key
- Error rates and patterns
- Geographic usage distribution
- Feature usage by key
Security Monitoring
- Unusual usage patterns
- Failed authentication attempts
- Geographic anomalies
- Rate limit violations
Next Steps
- Understand Tenant Context
- Learn about Rate Limiting
- Explore Error Handling