← Back to Guides

Security Best Practices

Keep your API keys safe and your application secure.

Never commit API keys

Keep local secrets out of version control:

# Add to .gitignore
.env
.env.local
.env.*.local

Use environment variables

Load secrets from the environment or a managed secret store. Examples:

JavaScript

// .env.local
KYNODE_API_KEY=your_api_key_here

// In your code
const apiKey = process.env.KYNODE_API_KEY;

Python

# .env
KYNODE_API_KEY=your_api_key_here

# In your code
import os
from dotenv import load_dotenv

load_dotenv()
api_key = os.getenv('KYNODE_API_KEY')

Never expose API keys in the frontend

Unsafe — key visible in the browser

// DON'T DO THIS - API key exposed in browser
fetch('https://kynode-api.kynode.workers.dev/v1/verify', {
  headers: {
    'Authorization': 'Bearer sk_live_abc123...' // EXPOSED!
  }
})

Recommended — call your own backend

// Use your own backend as proxy
fetch('/api/verify-business', {
  method: 'POST',
  body: JSON.stringify({
    business_number: businessNumber,
    startDate,
    ownerName,
    company_name: companyName,
    language: 'en',
  }),
})

// Backend (Node.js/Express)
app.post('/api/verify-business', async (req, res) => {
  const response = await fetch('https://kynode-api.kynode.workers.dev/v1/verify', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.KYNODE_API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      business_number: req.body.business_number,
      startDate: req.body.startDate,
      ownerName: req.body.ownerName,
      company_name: req.body.company_name,
      language: req.body.language ?? 'en',
    }),
  });
  const result = await response.json();
  res.json(result);
});

API key rotation

  • Rotate keys on a regular cadence (for example every 90 days) or immediately after personnel changes.
  • Use separate keys for development, staging, and production environments.
  • Revoke any key that may have leaked; prefer short-lived keys if your platform supports them.

Monitor for suspicious activity

  • Review usage in the dashboard for unexpected spikes or new geographic patterns.
  • Enable alerting when request volume exceeds thresholds you define.
  • If you use webhooks, verify signatures and treat delivery logs as part of your audit trail.

HTTPS required

All API requests must use TLS. Do not send `Authorization` headers over plain HTTP.

Pin to modern TLS versions in corporate proxies so traffic cannot be downgraded.

Rate limiting protection

  • Implement client-side throttling and exponential backoff to stay under tier limits.
  • Cache successful verification responses when business data does not need to be real-time.
  • Prefer webhooks for asynchronous workflows instead of tight polling loops.