API Key Security
API keys provide a mechanism for programmatic access to EDS. Because these keys grant significant permissions, they must be handled with care.
How EDS Secures Keys
To protect your storage nodes and data, EDS implements several security layers for API keys:
1. One-Time Reveal
When you generate an API key, the full key is displayed only once. Neither EDS nor its administrators can retrieve the full key once the generation dialog is closed.
2. SHA-256 Hashing
EDS never stores your actual API keys in the database. Instead, it stores a cryptographic hash (SHA-256) of the key.
- When you make an API request, EDS hashes the provided key and compares it to the stored hash.
- Even if the database is compromised, an attacker cannot retrieve the original API keys from the hashes.
3. Identification Prefixes
The first few characters of the key (e.g., exstr_l...) are stored in plain text to allow the dashboard to identify and list your keys without revealing the full secret.
Your Responsibility
While EDS secures the storage of keys, you are responsible for their usage:
- Environment Variables: Always store keys in environment variables (e.g.,
.env) and never commit them to version control (Git). - Least Privilege: Use different keys for different applications or scripts. This makes it easier to revoke access for a single script without affecting others.
- Regular Rotation: Periodically generate new keys and delete old ones to limit the impact of potential key leaks.
⚠️ Compromised Keys
If you suspect an API key has been leaked, deactivate or delete it immediately in the Manager Dashboard. This will instantly revoke access for all scripts using that key.
Verification
You can monitor the Last Used timestamp for each key in the dashboard. If you see a key being used at a time your scripts weren't running, it may be compromised.