Documentation Index
Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
Use this file to discover all available pages before exploring further.
Common Misconfiguration
Exposed third-party API keys can lead to unauthorized service usage, data breaches, and significant financial costs.
Vulnerable Example
// VULNERABLE - Hardcoded third-party API keys
const config = {
// Communication APIs
twilio: {
accountSid: 'AC1234567890abcdef1234567890abcdef',
authToken: '1234567890abcdef1234567890abcdef',
apiKey: 'SK1234567890abcdef1234567890abcdef',
apiSecret: 'abcdef1234567890abcdef1234567890'
},
sendgrid: {
apiKey: 'SG.1234567890abcdef.1234567890abcdef1234567890abcdef1234567890'
},
mailgun: {
apiKey: 'key-1234567890abcdef1234567890abcdef',
domain: 'mg.example.com'
},
// Analytics & Monitoring
datadog: {
apiKey: 'abcdef1234567890abcdef1234567890',
appKey: '1234567890abcdef1234567890abcdef1234567890'
},
newRelic: {
licenseKey: 'abcdef1234567890abcdef1234567890NRAL',
apiKey: 'NRAK-1234567890ABCDEF1234567890'
},
sentry: {
dsn: 'https://abcdef1234567890@o123456.ingest.sentry.io/1234567'
},
// Maps & Location
googleMaps: {
apiKey: 'AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe'
},
mapbox: {
accessToken: 'pk.eyJ1IjoiZXhhbXBsZSIsImEiOiJjbGFzZGZhc2RmIn0.1234567890'
},
// Cloud Storage
s3: {
accessKey: 'AKIAIOSFODNN7EXAMPLE',
secretKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
},
cloudinary: {
cloudName: 'mycloud',
apiKey: '123456789012345',
apiSecret: 'abcdef1234567890abcdef12'
},
// Social Media
twitter: {
apiKey: 'abcdef1234567890abcdef123',
apiSecret: '1234567890abcdef1234567890abcdef1234567890abcdef',
bearerToken: 'AAAAAAAAAAAAAAAAAAAAAMLheAAAAAAA0%2BuSeid%2BULvsea4JtiGRiSDSJSI%3DEUifiRBkKG5E2XzMDjRfl76ZC9Ub0wnz4XsNiRVBChTYbJcE3F'
},
facebook: {
appId: '1234567890123456',
appSecret: 'abcdef1234567890abcdef1234567890'
},
// AI/ML Services
openai: {
apiKey: 'sk-1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJ'
},
anthropic: {
apiKey: 'sk-ant-1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJ'
}
};
Secure Example
// SECURE - Environment-based API key management
class SecureAPIManager {
constructor() {
this.apis = {};
this.initialized = false;
}
async initialize() {
// Load from environment variables with validation
this.loadEnvironmentKeys();
// Or load from secrets manager
await this.loadFromSecretsManager();
// Validate all required keys
this.validateConfiguration();
this.initialized = true;
}
loadEnvironmentKeys() {
// Communication APIs
this.apis.twilio = {
accountSid: this.getRequiredEnv('TWILIO_ACCOUNT_SID'),
authToken: this.getRequiredEnv('TWILIO_AUTH_TOKEN'),
fromNumber: this.getRequiredEnv('TWILIO_FROM_NUMBER')
};
this.apis.sendgrid = {
apiKey: this.getRequiredEnv('SENDGRID_API_KEY'),
fromEmail: this.getRequiredEnv('SENDGRID_FROM_EMAIL')
};
// Analytics & Monitoring (optional keys)
this.apis.datadog = {
apiKey: process.env.DATADOG_API_KEY,
appKey: process.env.DATADOG_APP_KEY,
enabled: !!process.env.DATADOG_API_KEY
};
this.apis.sentry = {
dsn: process.env.SENTRY_DSN,
environment: process.env.NODE_ENV || 'development',
enabled: !!process.env.SENTRY_DSN
};
}
async loadFromSecretsManager() {
// AWS Secrets Manager example
const AWS = require('aws-sdk'); // v2 SDK example
const secretsManager = new AWS.SecretsManager();
try {
const secretName = 'prod/api-keys';
const secret = await secretsManager.getSecretValue({
SecretId: secretName
}).promise();
const keys = JSON.parse(secret.SecretString);
// Merge with existing configuration
// Note: This is a simple merge; a more robust solution would be needed
Object.assign(this.apis, keys);
} catch (error) {
console.error('Failed to load secrets, falling back to environment variables:', error);
}
}
getRequiredEnv(key) {
const value = process.env[key];
if (!value) {
throw new Error(`Required environment variable ${key} is not set`);
}
return value;
}
validateConfiguration() {
// Validate API key formats
const validators = {
twilio: (config) => {
if (!config.accountSid?.startsWith('AC')) {
throw new Error('Invalid Twilio Account SID format');
}
},
sendgrid: (config) => {
if (!config.apiKey?.startsWith('SG.')) {
throw new Error('Invalid SendGrid API key format');
}
},
stripe: (config) => { // Example if stripe was loaded
if (config.apiKey?.startsWith('sk_live_') &&
process.env.NODE_ENV !== 'production') {
throw new Error('Live Stripe key used in non-production environment');
}
}
};
for (const [name, validator] of Object.entries(validators)) {
if (this.apis[name]) {
validator(this.apis[name]);
}
}
}
// Rate limiting wrapper (conceptual example)
createRateLimitedClient(apiName, client) {
// const rateLimit = require('express-rate-limit'); // Example library
const limits = {
twilio: { requests: 100, window: 60000 }, // 100 req/min
sendgrid: { requests: 100, window: 1000 }, // 100 req/sec
openai: { requests: 60, window: 60000 }, // 60 req/min
};
const limit = limits[apiName] || { requests: 100, window: 60000 };
// This is pseudo-code; real implementation would be more complex
return new Proxy(client, {
get: (target, prop) => {
if (typeof target[prop] === 'function') {
return async (...args) => {
// Implement actual rate limiting logic here
// await this.checkRateLimit(apiName, limit);
return target[prop](...args);
};
}
return target[prop];
}
});
}
// Secure client initialization
getTwilioClient() {
if (!this.apis.twilio) {
throw new Error('Twilio not configured');
}
const twilio = require('twilio');
const client = twilio(
this.apis.twilio.accountSid,
this.apis.twilio.authToken,
{
lazyLoading: true,
edge: 'sydney', // Use edge location
logLevel: 'error'
}
);
return this.createRateLimitedClient('twilio', client);
}
getSendGridClient() {
if (!this.apis.sendgrid) {
throw new Error('SendGrid not configured');
}
const sgMail = require('@sendgrid/mail');
sgMail.setApiKey(this.apis.sendgrid.apiKey);
// Add request interceptor for monitoring
sgMail.setSubstitutionWrappers('{{', '}}');
return sgMail;
}
}
# SECURE - Docker secrets example
version: '3.8'
services:
app:
image: myapp:latest
environment:
- NODE_ENV=production
secrets:
- twilio_auth
- sendgrid_key
- stripe_key
secrets:
twilio_auth:
external: true
name: twilio_auth_token_v1
sendgrid_key:
external: true
name: sendgrid_api_key_prod
stripe_key:
external: true
name: stripe_secret_key_prod
# SECURE - Kubernetes ConfigMap and Secret
apiVersion: v1
kind: ConfigMap
metadata:
name: api-config
data:
TWILIO_FROM_NUMBER: "+1234567890"
SENDGRID_FROM_EMAIL: "noreply@example.com"
SENTRY_ENVIRONMENT: "production"
---
apiVersion: v1
kind: Secret
metadata:
name: api-keys
type: Opaque
stringData:
TWILIO_ACCOUNT_SID: ${TWILIO_ACCOUNT_SID} # Injected by CI/CD
TWILIO_AUTH_TOKEN: ${TWILIO_AUTH_TOKEN} # Injected by CI/CD
SENDGRID_API_KEY: ${SENDGRID_API_KEY} # Injected by CI/CD
DATADOG_API_KEY: ${DATADOG_API_KEY} # Injected by CI/CD
STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY} # Injected by CI/CD
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
containers:
- name: app
envFrom:
- configMapRef:
name: api-config
- secretRef:
name: api-keys
Detection Patterns
- Twilio API Key:
`SK[0-9a-fA-F]{32}`
- Twilio Account SID:
`AC[0-9a-fA-F]{32}`
- SendGrid API Key:
`SG\.[0-9a-zA-Z\.\-_]{60,}`
- Mailgun API Key:
`key-[0-9a-fA-F]{32}`
- Datadog API Key:
`[a-fA-F0-9]{32}`
- Datadog App Key:
`[a-fA-F0-9]{40}`
- New Relic License Key:
`[0-9a-fA-F]{40}NRAL`
- OpenAI API Key:
`sk-[a-zA-Z0-9]{48}`
- Anthropic API Key:
`sk-ant-[a-zA-Z0-9]{95}`
- Google API Key:
`AIza[0-9A-Za-z\\-_]{35}`
- Sentry DSN:
`https://[0-9a-f]{32}@o[0-9]+\.ingest\.sentry\.io\/[0-9]+`
- Mapbox Access Token:
`(pk|sk)\.eyJ[a-zA-Z0-9\._-]{80,}`
- Cloudinary:
`cloudinary:\/\/[0-9]{15}:[a-zA-Z0-9\-_]{27}@`
- Facebook App Secret:
`[a-fA-F0-9]{32}`
- Twitter Bearer Token:
`AAAAA[a-zA-Z0-9\-%]{80,}`
Prevention Best Practices
- Use Secrets Management: Never hardcode keys. Load them from a central, secure location at runtime, such as environment variables (
.env files for local development) or a dedicated secrets manager (like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager).
- Enforce Least Privilege: Do not use root API keys. Create “restricted” keys with the minimum permissions needed. For example, a SendGrid key might only need “Mail Send” permissions, not “Full Access” or “Billing” permissions.
- Use Separate Keys Per Environment: Never use your “live” or “production” API keys in development, testing, or staging. Use separate test keys (like
sk_test_... for Stripe) or sandboxed accounts.
- Use IP Whitelisting: If your provider supports it (e.g., Google Maps, SendGrid), lock your API key so it only works when requests come from your server’s known, static IP addresses. This is a highly effective defense.
- Verify Webhooks: If a third-party service (like Twilio or Sentry) sends you data via a webhook, always verify the request’s signature to ensure it’s authentic and not an attacker.
- Implement Rate Limiting: Protect your application and your budget by rate-limiting calls to third-party services. This prevents a single user (or an attacker) from causing a massive bill or getting your account suspended.
- Monitor and Audit Usage: Actively log and monitor your API usage. Set up billing alerts and anomaly detection (e.g., “alert me if Twilio costs exceed $10 in an hour”) to catch leaks as soon as they happen.
- Rotate API Keys: All keys should have a defined lifespan. Regularly rotate (delete and create new) your API keys to limit the window of opportunity if a key is ever silently leaked. Automate this process if your provider supports it.
- Enable Key Expiration: If the provider allows it, set an automatic expiration date on API keys, especially for temporary or testing purposes.
- Audit Key Usage Regularly: Periodically review all active API keys and delete any that are no longer needed by your application.
