API tokens give you "access all areas" privileges to your Claimable account. This is useful and powerful for building robust and innovative integrations, but also can pose a security risk if your tokens are not properly secured.

🔐 API Token Security Guidelines

Every integration project and development team is different, and you should follow the rules set out by your corporate IT policies, but the following general guidelines will help you adopt widely-accepted best practice when it comes to securing your API tokens.

❌ Don't:

1. Never share your API token with anyone outside your team or organisation.
2. Never send your API token over email or any unsecured channel.
3. Never write your API token down or store it an unencrypted location.
4. Never "hardcode" your API token or commit it to source control.
5. Never store your API token in client-side code (e.g. JS, HTML) or in browser cookies or local storage.

✅ Do:

1. Immediately revoke an API token if you suspect it is compromised.
2. Rotate API tokens regularly. At least once-per-year is ideal.
3. Always use HTTPS (secure HTTP) when transporting your API token.
4. Use different API tokens for staging, test and production environments.
5. User server-side environment variables to avoid committing API tokens to source code and limit their exposure beyond your secure deployed environments.

❗️

Protect API Tokens

Treat your API tokens like top-secret passwords and avoid writing them down or sharing them.

🔄 API Token Rotation

To further boost security, it's a good idea to "rotate" your API tokens on a regular basis, such as annually.

This is a simple process that typically involves generating new API Tokens, updating them in your projects, then revoking the old token once you've confirmed the new token works.

We recommend you rotate your Claimable API token on a regular basis.