Key Management

API keys are the primary credential for the Cresora API. Managing them securely is critical.

Storage requirements

Never store API keys in:

• Source code files
• .env files committed to source control
• Client-side code (browser JavaScript)
• Log files
• Database records (in plain text)

Always store API keys in:

• A secrets manager (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)
• A CI/CD environment variable vault (GitHub Actions secrets, Vercel environment variables)
• An encrypted configuration service

Rotation policy

Cresora recommends rotating API keys:

• Every 90 days as routine practice
• Immediately upon any suspected compromise
• Before and after employee offboarding who had key access

Zero-downtime rotation

To rotate a key without downtime:

1. Generate the new key (old key still active)
2. Deploy the new key to your secrets manager
3. Verify your application is using the new key (check API logs for the new key prefix)
4. Revoke the old key in the Partner Portal

Detecting key compromise

Signs your key may be compromised:

• Unexpected transactions in your dashboard
• API calls from unknown IP addresses (visible in audit logs)
• Alerts from your secrets manager about unusual access patterns

If you suspect compromise: rotate the key immediately via Partner Portal → API Settings → Keys → Rotate. The old key is revoked instantly.

Least privilege

Use separate keys for different environments and purposes:

• One csk_test_ key per developer (rotate on offboarding)
• One csk_live_ key for production (tightly controlled)
• Consider separate keys for different services if your architecture permits