API key management best practices

Key Format

ComplianceGrid API keys follow a predictable format that indicates their environment:

• Sandbox keys: cg_sk_ followed by a 40-character hex string
• Production keys: cg_pk_ followed by a 40-character hex string

Storage

Never store API keys in source code, configuration files committed to git, or client-side applications. Instead:

• Use environment variables for local development
• Use a secrets manager (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) for production
• Use CI/CD pipeline secrets for build and deploy processes
• If using Docker, pass keys via --env flags or Docker secrets — never bake them into images

Key Limits

Each environment (sandbox and production) supports up to 2 active API keys simultaneously. This limit enables zero-downtime key rotation — you create a new key, migrate your services, then revoke the old one.

Naming Conventions

Use descriptive names when creating keys in the Developer Portal:

• production-screening-service — Clear what service uses this key
• staging-ci-cd — Indicates it's for CI/CD in a staging environment
• key-1 — Bad: tells you nothing about usage or purpose

Monitoring

Review your API usage dashboard regularly. Look for:

• Unexpected spikes in request volume
• Requests from unexpected IP addresses or regions
• 401/403 errors that could indicate leaked or misused keys
• Keys that haven't been used in 30+ days (candidates for revocation)

Incident Response

If a key is compromised: 1. Immediately create a new key in the Developer Portal 2. Update your services to use the new key 3. Revoke the compromised key 4. Review API logs for unauthorized usage during the exposure window 5. Contact support@compliancegrid.ai if you suspect data access