FinFusion

API Keys

Managing API Keys

Learn how to create, manage, and secure your FinFusion API keys. Proper API key management is crucial for maintaining the security and reliability of your integration.

Never commit API keys to version control or expose them in client-side code. Keep them secure and rotate them regularly.

Types of API Keys

Development Keys

Used for testing and integration in sandbox environment

Prefix: dev_
Features:
  • Rate limits for testing
  • Simulated responses
  • Test data access
  • Webhook testing

Production Keys

Used for live transactions in production environment

Prefix: prod_
Features:
  • Higher rate limits
  • Live transaction processing
  • Production data access
  • SLA guarantees

Restricted Keys

Limited scope keys for specific services or operations

Prefix: rest_
Features:
  • Limited permissions
  • Service-specific access
  • Enhanced security
  • Granular control

Creating and Managing API Keys

Creating a New API Key

// Using the Dashboard
curl -X POST "https://api.finfusion.cloud/v1/api-keys"   -H "Authorization: Bearer YOUR_ADMIN_TOKEN"   -d '{
    "name": "Production API Key",
    "type": "production",
    "permissions": ["payments", "kyc", "reporting"],
    "expiration": "2025-12-31"
  }'

Using API Keys

// Node.js
const finfusion = new FinFusion({
  apiKey: process.env.FINFUSION_API_KEY,
  environment: 'production',
  options: {
    timeout: 30000,
    retries: 3
  }
});

// Python
from finfusion import FinFusion

client = FinFusion(
    api_key=os.environ.get('FINFUSION_API_KEY'),
    environment='production',
    options={
        'timeout': 30000,
        'retries': 3
    }
)

// Java
FinFusion client = new FinFusion.Builder()
    .apiKey(System.getenv("FINFUSION_API_KEY"))
    .environment("production")
    .timeout(30000)
    .retries(3)
    .build();

Key Rotation

// Rotate API key
const newKey = await finfusion.apiKeys.rotate({
  currentKey: 'current_key_id',
  gracePeriod: '48h', // Both keys will work for 48 hours
  notifyEmails: ['security@yourcompany.com']
});

// Verify key rotation
const keyInfo = await finfusion.apiKeys.verify(newKey.id);

Security Guidelines

Storage

  • Use environment variables
  • Encrypt at rest
  • Secure key vaults
  • Access control

Rotation

  • Regular rotation schedule
  • Automated rotation
  • Version tracking
  • Emergency rotation procedures

Monitoring

  • Usage tracking
  • Anomaly detection
  • Rate limit monitoring
  • Access logs

Monitoring and Auditing

// Get API key usage metrics
const usage = await finfusion.apiKeys.getUsage({
  keyId: 'your_key_id',
  timeframe: {
    start: '2024-01-01',
    end: '2024-01-31'
  },
  metrics: ['requests', 'errors', 'latency']
});

// Get audit logs
const logs = await finfusion.apiKeys.getLogs({
  keyId: 'your_key_id',
  limit: 100,
  eventTypes: ['key.created', 'key.rotated', 'key.accessed']
});

Best Practices

  • Environment Variables: Store keys in environment variables or secure vaults
  • Separate Environments: Use different keys for development and production
  • Key Rotation: Implement regular key rotation (every 90 days recommended)
  • Access Control: Limit API key access to necessary personnel only
  • Monitoring: Set up alerts for unusual API key usage patterns
  • Documentation: Maintain documentation of all active API keys and their purposes
  • Emergency Procedures: Have a plan for emergency key revocation
Immediately revoke any API keys that may have been compromised and rotate all related keys.

Need Help with API Key Management?

Our security team can help you implement best practices for API key management and security. Contact us for guidance on your specific needs.

Contact Security Team →