Skip to main content

Securing Your API Routes

Learn best practices for securing your KnoxCall routes.

Authentication Methods

1. API Keys

Simple key-based authentication. When to use:
  • Internal services
  • Server-to-server communication
  • Simple integrations
Configuration:
  1. Go to RoutesClients
  2. Generate a new API key
  3. Clients send: Authorization: Bearer YOUR_API_KEY

2. JWT Tokens

Token-based authentication with expiration. When to use:
  • User-facing applications
  • Mobile apps
  • Web applications
Configuration:
  1. Configure JWT settings in route
  2. Set token expiration
  3. Add public key for verification

3. Signature Verification

Request signing for tamper protection. When to use:
  • Webhooks
  • High-security applications
  • Payment processing
Configuration:
  1. Enable signature verification
  2. Share signing secret with clients
  3. Clients sign requests with HMAC-SHA256

IP Allowlisting

Restrict access to specific IP addresses:
  1. Navigate to route settings
  2. Add allowed IPs: 
    192.168.1.1
10.0.0.0/8
  3. Only these IPs can access the route

Rate Limiting

Protect against abuse and DDoS: Configuration:
  • Requests: Number of requests allowed
  • Window: Time window (e.g., 60 seconds)
  • Burst: Allow short bursts
Example:
  • 100 requests per minute
  • Burst: 120 requests

CORS Configuration

Configure cross-origin resource sharing: 
{
  "allowed_origins": ["https://your-app.com"],
  "allowed_methods": ["GET", "POST"],
  "allowed_headers": ["Content-Type", "Authorization"]
}

Security Best Practices

1. Use HTTPS Only

  • Never send credentials over HTTP
  • Enforce HTTPS in your application

2. Rotate Keys Regularly

  • Rotate API keys every 90 days
  • Update clients before expiration

3. Principle of Least Privilege

  • Only grant necessary permissions
  • Use different keys for different services

4. Monitor for Anomalies

  • Set up alerts for unusual activity
  • Watch for failed auth attempts
  • Monitor for rate limit violations

5. Keep Secrets Secure

  • Never commit secrets to git
  • Use environment variables
  • Rotate secrets immediately if compromised

Common Security Mistakes

Don’t do this:
  • Hardcode API keys in frontend code
  • Use same key for all environments
  • Ignore rate limiting
  • Skip signature verification for webhooks
Do this instead:
  • Store keys in backend environment variables
  • Use different keys for dev/staging/prod
  • Always enable rate limiting
  • Verify webhook signatures

Audit Logs

Review security events:
  1. Go to Audit Logs
  2. Filter by event type
  3. Look for suspicious activity

📊 Statistics

  • Views: 1
  • Helpful: 0 👍
  • Level: intermediate

🏷️ Tags

security, authentication, api-keys, best-practices