PinBridge

Security & Compliance

API Key Security

Protect API keys across generation, storage, rotation, and revocation workflows.

Overview

API keys grant direct workspace access. Treat them like production credentials: backend-only usage, controlled distribution, and predictable rotation/revocation operations.

What You Will Learn

  • How to structure key ownership by service and environment.
  • How to rotate keys without downtime using overlap windows.
  • How to respond quickly when a key is leaked or misused.

Implementation Checklist

  • Create separate keys per backend service (worker, scheduler, admin jobs) instead of sharing one key across systems.
  • Store keys only in a secrets manager and inject at runtime; never ship keys in frontend bundles or client apps.
  • Use dual-key rotation: create new key, deploy it, verify traffic, then revoke the old key.
  • Rotate keys on schedule and immediately after staffing or incident events.
  • On suspected exposure, revoke first and then investigate using request/audit correlation.

Deep Dive

1) Key ownership model

Each key should have a clear owner and runtime scope so revocation is low-risk and traceable.

  • Name keys by service and environment (for example `scheduler-prod`).
  • Avoid one shared key across multiple runtimes.
  • Document key owner and rotation date in your runbook.

2) Zero-downtime rotation sequence

Rotation should be routine, tested, and reversible without breaking publish pipelines.

  • Create replacement key and deploy to all target services.
  • Monitor successful requests with the new key before revoking the old one.
  • Keep a short overlap window to avoid race conditions during deploy rollouts.

3) Incident response for leaked keys

Treat any exposed key as compromised until proven otherwise and rotate immediately.

  • Revoke compromised key through API key endpoints.
  • Review recent usage patterns and request IDs for abnormal activity.
  • Issue replacement keys and verify all automation paths are healthy.

Relevant Endpoints

POST
/v1/api-keys

Create a scoped key for backend usage.

GET
/v1/api-keys

List active API keys for the workspace.

PATCH
/v1/api-keys/{key_id}

Update API key metadata.

DELETE
/v1/api-keys/{key_id}

Revoke a key that should no longer be used.

Related Guides

Audit LogsData Privacy