Document Stack
Document Stack
Docs

API Key Security

Best practices for creating, storing, rotating, and managing API keys securely.

API Key Basics

API keys authenticate your application with Document Stack. They are equivalent to passwords — anyone with your API key can generate documents and access resources in your organization.

Treat Keys as Secrets

Never share API keys publicly, commit them to version control, or include them in client-side code. Treat them with the same care as database passwords.

Secure Storage

Store API keys securely using environment variables or secret management services:

.env (never commit this file)
DOCUMENTSTACK_API_KEY=ds_live_abc123...
Access from environment
const apiKey = process.env.DOCUMENTSTACK_API_KEY;

if (!apiKey) {
    throw new Error("DOCUMENTSTACK_API_KEY is not set");
}
  • Environment variables — Use .env files locally; set via platform UI in production
  • Secret managers — AWS Secrets Manager, Google Secret Manager, Azure Key Vault, HashiCorp Vault
  • CI/CD secrets — GitHub Actions secrets, GitLab CI variables, Vercel environment variables

Prevent Accidental Commits

Always add .env files to .gitignore:

.gitignore
# Environment variables
.env
.env.local
.env.production
.env*.local

Pre-commit Hooks

Use tools like git-secrets or detect-secrets to prevent accidental commits of API keys.

Key Rotation

Regularly rotate API keys to limit exposure:

  1. Create a new API key in the dashboard
  2. Update your application to use the new key
  3. Verify the new key works in production
  4. Delete the old key from the dashboard

We recommend rotating keys at least every 90 days, and immediately if you suspect a key has been compromised.

Multiple Keys

Create separate keys for different environments and services:

KeyEnvironmentPurpose
ds_test_...DevelopmentLocal testing
ds_live_staging_...StagingPre-production testing
ds_live_prod_...ProductionLive document generation

What to Never Do

  • ❌ Hard-code keys in source code
  • ❌ Include keys in client-side JavaScript or mobile apps
  • ❌ Share keys via email, Slack, or chat
  • ❌ Use the same key across all environments
  • ❌ Log API keys in application logs
  • ❌ Include keys in error messages or stack traces

If a Key Is Compromised

  1. Delete the key immediately — Go to the dashboard and remove the compromised key
  2. Create a new key — Generate a fresh key
  3. Update your application — Deploy with the new key
  4. Audit usage — Check audit logs for unauthorized activity
  5. Investigate — Determine how the key was exposed and fix the root cause

Server-Side Only

API keys must only be used in server-side code. Never expose them in:

  • Browser JavaScript (React, Vue, Angular client code)
  • Mobile applications
  • Public repositories
  • API documentation examples with real keys

If you need to generate PDFs from a client application, route requests through your own backend server that holds the API key.

Next Steps

Previous

Data Privacy & GDPR

Next

Audit Logging