Secure your integration
Production hardening guide: API key management, secret rotation, transport security, and best practices for a secure Ananke Labs integration.
Overview
Ananke Labs handles sensitive document operations — issuance, verification, and lifecycle management. A compromised integration can issue fraudulent documents or revoke legitimate ones. This guide covers the security practices you should follow before going to production.
API key management
- Each API key is scoped to a single tenant.
- Create separate keys for different environments (development, staging, production).
- Create separate keys for different services if you have multiple backend systems.
- Delete keys that are no longer in use.
Secret storage
Never commit API keys to version control. Use environment variables or a secrets manager:
export ANANKE_API_KEY="ak_live_..."const client = new AnankeClient({
apiKey: process.env.ANANKE_API_KEY!,
});In production, use your platform's secrets management:
- AWS Secrets Manager / SSM Parameter Store
- Azure Key Vault
- Google Secret Manager
- HashiCorp Vault
- Kubernetes Secrets (encrypted at rest)
Key rotation
- Create a new API key in the Console.
- Update your application to use the new key.
- Deploy and verify the new key works.
- Delete the old key from the Console.
Ananke Labs supports multiple active keys per tenant, so you can rotate without downtime.
Transport security
- Always use HTTPS in production. The production API enforces TLS.
- HTTP is acceptable only for local development (
localhost). - Verify certificates — do not disable TLS verification in production.
- Use TLS 1.2 or higher.
Server-side only
Never expose your API key in client-side code. The SDK is designed for server-side use (Node.js, edge functions, serverless).
- Do not embed the API key in frontend JavaScript, React components, or mobile apps.
- Build a backend proxy that handles authentication and forwards requests to Ananke Labs.
- Use server-side rendering or API routes for verification pages.
// app/api/verify/route.ts (server-side)
import { AnankeClient } from "@ananke/sdk";
const client = new AnankeClient({
apiKey: process.env.ANANKE_API_KEY!,
});
export async function POST(req: Request) {
const { reference } = await req.json();
const result = await client.trust.verify.byReference(reference);
return Response.json(result);
}Rate limiting
- Implement your own rate limiting on frontend-facing endpoints to prevent abuse.
- Handle
429responses gracefully with exponential backoff. - Monitor your quota usage in the Console.
Logging and auditing
- Never log the full API key. Log only the prefix (
ak_live_...). - Log request IDs and trace IDs for debugging.
- Monitor for unusual patterns (bulk failures, auth errors, unexpected traffic spikes).
- Set up alerts for repeated
401or403responses.
Production checklist
| Item | Status |
|---|---|
| API key stored in secrets manager (not in code) | Required |
| HTTPS enforced for all API calls | Required |
| API key not exposed in client-side code | Required |
| Separate keys for each environment | Recommended |
| Key rotation procedure documented | Recommended |
| Rate limiting on public-facing endpoints | Recommended |
| Error monitoring and alerting configured | Recommended |
| Audit logging for issuance/revocation actions | Recommended |
Next steps
- API Reference — Understand all available endpoints.
- Error reference — Handle all error scenarios.
- Rate limits — Understand request quotas.