Blog

API keys and least privilege in browser-facing apps

Scope keys per project, rotate on incident, and never treat the browser as a secret store.

Published: 2024-06-18Updated: 2025-02-011 min read

securityapi-keysbest-practices

What an API key proves

A key identifies a project and carries policy such as rate limits and allowed targets. It is not a replacement for user identity unless combined with OAuth tokens.

Assume keys embedded in frontends will leak. Prefer short-lived tokens for user-specific actions when possible.

Operational hygiene

Rotate keys after employee offboarding or suspected exposure. Keep separate keys per environment.

Monitor anomalies: sudden geography shifts or error spikes often precede abuse reports.

← Back to blog