Why API Key Security Matters
Your API key is the gateway to your CallPayMin account. A compromised key could allow attackers to create calls, access user data, or rack up charges on your account.
Never commit API keys to version control, include them in client-side code, or share them in public channels.
Use Environment Variables
Store your API keys in environment variables, not in your codebase:
CALLPAYMIN_API_KEY=cpm_live_xxxxxxxxxxxxx.env
.env.local
.env.productionUse Scoped API Keys
Create API keys with only the permissions they need. This limits damage if a key is compromised.
| Scope | Permissions | Use Case |
|---|---|---|
calls:create | Create new calls | Backend call creation |
calls:read | Read call details | Analytics, dashboards |
users:manage | Create/update users | User onboarding |
billing:read | Read billing data | Financial reporting |
webhooks:manage | Configure webhooks | Admin tools |
Create Separate Keys per Environment
Use different API keys for development, staging, and production:
Development
Test key with limited scopes. Safe to experiment with.
Staging
Mirrors production scopes. For pre-release testing.
Production
Full access. Protect with maximum security.
Rotate Keys Regularly
Rotate your API keys periodically (every 90 days recommended) and immediately if you suspect a breach:
- Create a new API key in your dashboard
- Update your environment variables
- Deploy the changes
- Verify the new key works
- Revoke the old key
Security Checklist
- Store keys in environment variables
- Add .env files to .gitignore
- Use minimal scopes for each key
- Create separate keys per environment
- Rotate keys every 90 days
- Monitor API usage for anomalies
- Never expose keys in client-side code
Manage Your Keys
Visit the API Keys Dashboard to create, view, and revoke your API keys.