API Keys

What Are FastFuels API Keys?

API keys are unique identifiers that allow you to authenticate and interact with the FastFuels API. They act as a secure gateway, enabling your projects and applications to access the FastFuels API for creating, modifying, and exporting data.

Key Expiration and Security Best Practices

When creating an API key, you’ll need to specify how long the key should remain valid. Setting an expiration date for your API keys is a critical component of your API security strategy. This section explains the importance of key expiration and outlines best practices for managing your FastFuels API keys securely.

Importance of Expiration Dates

When creating an API key, you’re required to set its validity period. This practice enhances your security in several ways:

• Limited Exposure: An expiring key limits the window of opportunity for potential security breaches.
• Enforced Key Rotation: Regular expiration encourages systematic review and update of your API keys.
• Automatic Cleanup: Expiration helps maintain an up-to-date list of active keys.

The Expiration Process

When an API key reaches its expiration date:

1. It immediately ceases to authenticate requests to the FastFuels API.
2. Applications or scripts using the expired key will stop functioning.
3. A new key must be generated to restore access.

Note

Plan ahead for key expiration to avoid unexpected disruptions to your services.

API Key Security Best Practices

Implement these best practices to enhance the security of your FastFuels account:

1. Set Strategic Expiration Periods

   • Balance security and operational needs
   • Recommended: 30-90 days for most use cases
   • Consider longer periods only for highly secure, stable environments

2. Implement Proactive Key Rotation

   • Rotate keys regularly, not just at expiration
   • Develop processes for smooth key updates in your applications

3. Apply the Principle of Least Privilege

   • Assign minimum necessary scope and access type
   • Regularly review and adjust permissions as needs change

4. Monitor Key Usage

   • Maintain awareness of active keys and their usage patterns
   • Promptly revoke keys that are no longer necessary

5. Ensure Secure Key Storage

   • Treat API keys with the same level of security as passwords
   • Utilize secure vaults or environment variables for key storage

Tip

Consider implementing automated key rotation in your applications to maintain security while ensuring continuous operation.

Access Types

An API key can have one of two access types: Personal or Application. While functionally similar, these access types serve different purposes and are suited to specific use cases.

Personal API Keys

Personal API keys are directly associated with individual user accounts. They are ideal for individual development projects, testing, and scenarios where personal data ownership is preferred. All API actions using a personal key are attributed to the associated user account. To create a personal API key, refer to our “Create a Personal Access Key” tutorial.

Application API Keys

Application API keys are designed for scenarios where data should not be tied to an individual user account. They are best suited for third-party applications integrating FastFuels, multi-user systems requiring shared data access, and production environments. API actions using an application key are attributed to the application itself. To create an application and its associated API key, follow our “Create an Application” and “Create an Application API Key” tutorials.

Selecting the Appropriate Access Type

Consider the following factors when deciding between Personal and Application API keys:

1. Data Ownership:

   • Personal keys: Suitable when data should be owned by a specific user
   • Application keys: Preferable when data should be owned by the application itself

2. User Access:

   • Personal keys: Ideal for single-user scenarios
   • Application keys: Support multi-user access to a shared data set

3. Integration Type:

   • Personal keys: Well-suited for individual projects and testing environments
   • Application keys: Optimal for production environments and third-party integrations

4. Scalability:

   • Personal keys: May have limitations for large-scale operations
   • Application keys: Offer enhanced scalability for growing systems and user bases

5. Security and Compliance:

   • Consider your organization’s security policies and compliance requirements when selecting an access type
   • Consult with your security team if you have specific regulatory needs

Choosing between Personal and Application API keys depends on your specific use case, development stage, and organizational requirements. Both options provide full access to the FastFuels API, but they differ in how they manage data attribution and access control.

Remember, you can always start with one type and transition to the other as your needs evolve. The FastFuels platform is designed to accommodate your growth and changing requirements.

Scopes

When creating a FastFuels API key, you must specify its scope. The scope determines what actions the API key can perform.

FastFuels offers two scopes for API keys:

1. Read: Allows the API key to retrieve data from FastFuels but not modify it.

2. Write: Allows the API key to both read and modify data in FastFuels.

Choose the scope that best fits your needs. If you only need to access data, use a read scope. If you need to create or update data, use a write scope.

Tip

You can create multiple API keys with different scopes for various use cases within your project.

For detailed information on how these scopes affect specific API endpoints, please refer to our API Reference documentation.