API Key Security

Protect your Synoveo API keys to prevent unauthorized access.

API Key Structure

Each API key consists of:

Client ID - Public identifier
Client Secret - Private key (shown once)

Security Features

Domain Binding

API keys are bound to specific domains:

Only requests from configured domain work
Prevents stolen keys from working elsewhere
Configure domain during key creation

Location Scoping

Keys can be restricted to specific locations:

One key = one location
Prevents accidental cross-location changes
Limits blast radius if compromised

Rate Limiting

Built-in rate limits prevent abuse:

Per-key limits
Per-plan limits
Automatic blocking on abuse

Best Practices

1. Keep Secrets Secret

Never commit to version control
Don't share via email/chat
Use environment variables

// Good - environment variable
define('SYNOVEO_SECRET', getenv('SYNOVEO_CLIENT_SECRET'));

// Bad - hardcoded
define('SYNOVEO_SECRET', 'sk_live_xxx'); // NEVER DO THIS

2. Use Environment Variables

# .env file (never commit)
SYNOVEO_CLIENT_ID=your_client_id
SYNOVEO_CLIENT_SECRET=your_secret

3. Rotate Keys Regularly

Generate new key
Update applications
Revoke old key
Recommended: Every 90 days

4. Monitor Usage

Review key usage in dashboard
Set up alerts for unusual activity
Check for unauthorized access

5. Revoke Compromised Keys

If a key is exposed:

Immediately revoke in dashboard
Generate new key
Update applications
Review access logs

Key Management

Creating Keys

Go to API Keys in dashboard
Click "Create API Key"
Configure domain and location
Copy and save secret immediately

Viewing Keys

Client ID always visible
Secret only shown once at creation
Last used timestamp available

Revoking Keys

Find key in dashboard
Click "Revoke"
Confirm revocation
Key immediately invalidated

WordPress Plugin

The WordPress plugin handles keys automatically:

Stored encrypted in WordPress options
Never exposed in frontend
Protected by WordPress security

Configure via Settings → Synoveo in WordPress admin.