API Key Security
Recommendations for keeping your API key secure.
A Fleetio API key is a secret token that allows you to access your Fleetio data. We recommend keep your API secure by treating it like a password. If someone else gains access to your API key, they will be able to impersonate you on the Fleetio platform and gain access your Fleetio data.
Here are some tips for keeping your API Key secret.
1. Do not share your API key
We recommend that you create a new API key for each integration. Do not re-use your API key for multiple integrations, and do not share your API key with anyone else. In order to configure the approprate permissions for each integration, we recommend you create a new User in Fleetio specifically for this 3rd party. Here's how:
- Create a new Contact in Fleetio a. Make sure to check Enable Acess to Fleetio. b. Give the Contact a name that will help you identify this 3rd party.
- Create a new Role, and configure Permissions We recommend that you configure the minimum permissions necessary for this 3rd party to do their job. If they only need to read Meter Entries, for example, configure their permissions to only allow them to read Meter Entries.
- Login as your new User and create an API key.
2. Do not commit your API key into your source code repository.
We recommend that you avoid committing your API key into your version control repository like git or svn. Because version control repositories tend to have immutable histories, it can be difficult to hide a secret that was committed.
If you do commit your API key into your repository, we recommend that you consider it compromised and generate a new one.
As an alternative, we recommend that you use environment variables instead.
3. Use a Password or Secret Manager
We recommend that you use a password or secret manager to store your API key, especially if you need to share secrets amongst members of a team. It will also allow you to share access, while also enabling you to rotate keys and revoke access as necessary.
4. Rotate your API key periodically
We also recommend that you rotate your keys periodically. This will help you limit the impact of a compromised key.
If you have any questions about API key security, please contact us and we will be happy to help.