Secure your Pinned Events API integration with server-side API key storage, scoped permissions, key rotation, safe logging, and duplicate-safe retries.
Store keys server-side
- Keep API keys in server-side environment variables or a secrets manager.
- Never place API keys in browser JavaScript, public mobile apps, static config files, or repositories.
- Do not log full API keys, key hashes, sensitive request payloads, or private event content.
Use least privilege
Give each integration only the scopes it needs. Use one key per integration so revoking a compromised key has a small blast radius.
Rotate and revoke keys
Create a replacement key, deploy the new secret, verify traffic, then revoke the old key. Revocation is soft and preserves audit metadata.
Safe logging
Log request IDs, status codes, route names, and non-sensitive integration identifiers. Do not log full API keys, key hashes, Authorization headers, private event payloads, or partner-submitted secrets.
Related pages
AuthenticationAuthenticate Public API requests with bearer API keys from trusted server-side code.API keys and scopesUnderstand API key lifecycle, default quickstart scopes, owner-scoped channel access, and revocation behavior.Rate limitsUnderstand 429 responses, Retry-After handling, and retry strategies for busy integrations.TroubleshootingDiagnose authentication failures, forbidden channel access, validation errors, duplicate events, and rate limits.