API Key Management

Generation and Storage

  1. Secure Generation: Always use KeyHippo’s built-in functions for API key generation. Never create keys manually or use predictable patterns.

    const result = await keyHippo.createApiKey(userId, "Primary API Key");

  2. Secure Storage: Store API keys securely. Never expose them in client-side code, version control systems, or logs.

  3. Encryption at Rest: Ensure that your database employs encryption at rest to protect stored API key hashes.

Distribution and Usage

  1. Secure Transmission: When distributing API keys to users, use secure channels and encourage immediate key rotation after first use.

  2. Key Rotation: Implement regular key rotation policies. KeyHippo facilitates this:

    await keyHippo.revokeApiKey(userId, oldKeyId);
const newKey = await keyHippo.createApiKey(userId, "Rotated Key");

  3. Least Privilege: Assign the minimum necessary permissions to each API key. Utilize KeyHippo’s metadata to manage key permissions:

    const metadata = await keyHippo.getAllKeyMetadata(userId);
// Analyze metadata to ensure appropriate permissions

Row Level Security (RLS) Policies

  1. Comprehensive Checks: Always include both session-based and API key checks in your RLS policies:

    CREATE POLICY "access_policy"
ON "public"."resources"
USING (
  auth.uid() = resources.owner_id
  OR auth.keyhippo_check(resources.owner_id)
);

  2. Granular Policies: Create specific policies for different operations (SELECT, INSERT, UPDATE, DELETE) rather than using catch-all policies.

  3. Regular Audits: Periodically review and test your RLS policies to ensure they provide the intended level of security.

Monitoring and Auditing

  1. Usage Tracking: Regularly monitor API key usage. KeyHippo provides functions for this:

    const metadata = await keyHippo.getAllKeyMetadata(userId);
// Analyze metadata for unusual patterns

  2. Logging: Implement comprehensive logging for all API key operations, including creations, revocations, and usage.

  3. Alerting: Set up alerts for suspicious activities, such as multiple failed authentication attempts or unusual usage patterns.

Application Security

  1. Input Validation: Always validate and sanitize input, even when using API key authentication.

  2. Rate Limiting: Implement rate limiting to prevent abuse of API keys. Consider using Supabase Edge Functions for this.

  3. HTTPS: Ensure all communications are encrypted using HTTPS. Never transmit API keys over unencrypted connections.

  4. Dependencies: Regularly update KeyHippo and all other dependencies to benefit from the latest security patches.

Incident Response

  1. Key Revocation: In case of a suspected breach, be prepared to quickly revoke compromised keys:

    await keyHippo.revokeApiKey(userId, compromisedKeyId);

  2. User Notification: Have a process in place to notify users of security incidents and guide them through key rotation.

  3. Forensics: Maintain logs and audits to facilitate post-incident analysis.

Development Practices

  1. Environment Separation: Use separate API keys for development, staging, and production environments.

  2. Code Reviews: Implement mandatory code reviews for all changes involving KeyHippo functionality or RLS policies.

  3. Security Testing: Regularly perform security testing, including penetration testing and vulnerability assessments.

User Education

  1. Documentation: Provide clear documentation to your users on API key best practices.

  2. Onboarding: Include API key security in your user onboarding process.

  3. Regular Communication: Keep users informed about security best practices and any changes to your API key policies.

Advanced RLS Policies

Learn how to create sophisticated access control policies with KeyHippo.

Supabase RLS CompatibilityCreate KeyHippo Policies