Security Considerations
API key management, signing secret rotation, and secure credential storage
Security Considerations
Essential security patterns for integrating with the Starship Rewards API. This guide covers API key management, signing secret rotation, secure credential storage, and network security.
Credential Inventory
Each API credential consists of three values. Understand what each protects:
| Credential | Format | Sensitivity | Rotation |
|---|---|---|---|
| API Key | sk_live_* / sk_test_* | Medium -- identifies your credential | Regenerate via Client Portal |
| API Secret | Opaque string | High -- authenticates requests | Regenerate via Client Portal (new key + secret together) |
| Signing Secret | whsec_* | High -- signs requests and webhook deliveries | Rotate independently via /rotate-signing-secret |
The API Secret and Signing Secret are shown only once at generation time. Store them immediately in your secrets manager.
Secure Credential Storage
Environment Variables (Recommended)
# .env (never commit this file)
STARSHIP_API_KEY=sk_live_abc123def456
STARSHIP_API_SECRET=your-api-secret
STARSHIP_SIGNING_SECRET=whsec_your_signing_secretSecrets Managers
For production deployments, use a dedicated secrets manager:
| Platform | Service |
|---|---|
| AWS | Secrets Manager or SSM Parameter Store |
| GCP | Secret Manager |
| Azure | Key Vault |
| Self-hosted | HashiCorp Vault |
| Docker | Docker Secrets |
| Kubernetes | K8s Secrets (encrypted at rest) |
What NOT to Do
- Never commit credentials to version control
- Never log API secrets or signing secrets (even at debug level)
- Never embed credentials in client-side code (JavaScript, mobile apps)
- Never share credentials over email, Slack, or other unencrypted channels
- Never use the same credential across environments (use
sk_test_*for staging)
Key Rotation Strategy
API Key + Secret Rotation
Rotate API credentials quarterly, or immediately if compromised:
- Generate new credentials in the Client Portal (Settings → API Keys → Generate)
- Test the new credentials against your staging environment
- Deploy the new credentials to production
- Verify production requests succeed with new credentials
- Revoke the old credentials
# Step 5: Revoke old credentials
curl -X POST "{{host}}/client/api/api-keys/OLD_ID/revoke-api-key" \
-H "Cookie: session=your-portal-session"Generating new credentials does NOT automatically revoke old ones. Both work simultaneously until you explicitly revoke the old credential. This enables zero-downtime rotation.
Signing Secret Rotation
The signing secret can be rotated independently of the API key and secret. This is useful when you want to rotate the HMAC signing material without disrupting basic authentication.
# Rotate signing secret only (Client Portal session auth)
curl -X POST "{{host}}/client/api/api-keys/1/rotate-signing-secret" \
-H "Cookie: session=your-portal-session"Response (new secret shown once):
{
"success": true,
"data": {
"signing_secret": "whsec_new_secret_value_here"
}
}Rotation steps:
- Call
/rotate-signing-secret-- generates new secret - Update your application with the new signing secret
- Both your HMAC request signing and webhook signature verification update automatically
- The old signing secret stops working immediately -- plan for a brief transition window
Signing secret rotation is immediate. Unlike API key rotation, there is no overlap period. Coordinate the rotation with a deployment to minimize failed requests.
Network Security
HTTPS Only
All API communication must use HTTPS (TLS 1.2+). Plain HTTP requests are rejected. Webhook endpoints must also use HTTPS.
IP Whitelisting
Contact your admin to configure IP whitelisting for your API credential. When enabled, requests from non-whitelisted IPs are rejected with 403 Forbidden, even with valid credentials.
Rate Limiting
The API enforces rate limits per credential:
| Endpoint Group | Limit | Window |
|---|---|---|
Authentication (/auth/*) | 10 requests | 1 minute |
| Read operations (GET) | 100 requests | 1 minute |
| Write operations (POST/PUT/DELETE) | 30 requests | 1 minute |
When rate-limited, the API returns 429 Too Many Requests with a Retry-After header.
Request Timeouts
Set reasonable timeouts in your HTTP client:
| Operation | Recommended Timeout |
|---|---|
| Connect | 5 seconds |
| Read (GET) | 15 seconds |
| Write (POST) | 30 seconds |
| Large orders (qty > 50) | 60 seconds |
Monitoring and Alerting
What to Monitor
| Signal | Threshold | Action |
|---|---|---|
401 responses | > 5 in 1 minute | Check credentials, possible key compromise |
403 responses | Any unexpected | IP whitelist issue or permission change |
429 responses | > 3 in 5 minutes | Reduce request rate, implement backoff |
HMAC invalid signature | Any | Check signing implementation, clock drift |
| Webhook delivery failures | > 10% failure rate | Check endpoint health, signature verification |
Audit Trail
The Starship admin panel logs all credential operations:
- API key generation / revocation
- Signing secret rotation
- HMAC enable / disable
- IP whitelist changes
Contact your admin to review audit logs if you suspect unauthorized credential use.
Security Checklist
| Check | Status |
|---|---|
| API credentials stored in environment variables or secrets manager | |
Credentials never committed to version control (.env in .gitignore) | |
Separate credentials for staging (sk_test_*) and production (sk_live_*) | |
| API key rotation schedule established (quarterly recommended) | |
| Webhook signature verification implemented | |
| HTTPS enforced for all API and webhook communications | |
| Rate limiting handled with exponential backoff | |
| Monitoring alerts configured for auth failures | |
| HMAC request signing enabled (recommended for production) |
Related
- Authentication Overview -- API key setup and migration path
- HMAC Request Signing -- Full signing specification
- Webhooks -- Webhook signature verification