Api Authentication¶
Introduction¶
HeapStream uses HTTP Basic Auth. The authentication is your API Key id as username and API Key password as password.
If invalid credentials are provided, a 401 Unauthorized response code is returned with the corresponding JSON body.
API Key protection¶
To protect your credentials from being revealed on the client-side, invoke the HeapStream calls from your own server-side applications only.
Security Measures
- Avoid embedding API keys directly in the code. Direct code embedding can lead to unintentional public exposure, for instance, when sharing code without removing the keys. Store your API keys in environment variables or separate files, not within your application's source tree.
- Do not place API keys in files within your application's source structure. If storing keys in files, ensure they are outside your application's source directory to prevent accidental inclusion in version control systems, especially important in public platforms like GitHub.
- Thoroughly review your code before public release to ensure no API keys or private information are included.
- Regularly delete unneeded API keys to reduce attack vectors.
- Assign each API key pair to a specific system within your platform backend, limiting the scope and impact in case of a compromise. This approach allows targeted key deletion without affecting other API keys.
Accessing API Keys¶
Find your API key id & password in the dashboard, where you can also manage multiple API keys for various applications.
Basic Auth Request Example¶
Below is an example of an authenticated request.
For ApiKey.id 3275020786116592843 and ApiKey.password uO_wTq_QqjKTtSeya2tCZx6ja6RVMqXU, the corresponding API request is: