API Authentication and Security

Authentication and security are essential when working with Notify's API. This guide covers secure authentication using API keys, best practices for managing and protecting these keys, and guidelines for securely accessing Notify's API.

1. API Key Authentication

Notify uses API keys to authenticate and authorize requests to its endpoints. API keys are unique to each company profile you create on Notify and allow access to specific features and data.

Retrieving Your API Key

  1. Login to Notify: After logging in to the Notify dashboard, ensure you've set up a Company Profile.
  2. Access API Key: Go to the Credentials section in the dashboard, where your unique API key will be displayed.
  3. Copy the API Key: Use the Copy button to copy the key and store it securely, as you will need it for authenticating your requests.

Important: Treat your API key like a password---do not share it publicly or in insecure locations.

2. Authenticating API Requests

All API requests to Notify require an Authorization header with your API key to verify identity and permissions.

Example Request Headers

Authorization: Bearer <your_api_key>
Content-Type: application/json `

Example Using Node.js Fetch

Here's a sample API call using fetch with your API key included in the header.

const fetchData = async () => {
  try {
    const response = await fetch('https://api.notify.com/your-endpoint', {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer <your_api_key>`,
      },
    });

    if (!response.ok) {
      throw new Error('Failed to fetch data');
    }

    const result = await response.json();
    console.log('Data:', result);
  } catch (error) {
    console.error('Error:', error);
  }
};

fetchData();

This example demonstrates a simple GET request. For other request types, adjust the method and body accordingly.

3. Managing and Rotating API Keys

For enhanced security, it's crucial to periodically rotate your API keys and to delete keys that are no longer in use.

Generating a New API Key

  1. Go to Credentials in the Notify dashboard.
  2. Click Generate New Key to create a new key.
  3. Update your application code with the new key, and test it to ensure smooth functionality.

Deleting Old API Keys

Once you've rotated to a new API key:

  1. Identify any old keys in the Credentials section.
  2. Select and delete keys that are no longer in use.

Tip: After rotating keys, test your application thoroughly to avoid disruptions.

4. Best Practices for API Key Security

To maintain security, follow these best practices:

  • Never hardcode API keys in source files, especially in publicly accessible repositories.
  • Use environment variables: Store your API key in environment variables or secure vaults (e.g., .env files) to avoid exposing them in code.
  • Limit access: Only share the API key with trusted parties and restrict access based on the principle of least privilege.
  • Monitor API usage: Regularly review your API usage in Notify's dashboard to detect any unusual or unauthorized activity.

Example Using Environment Variables

In Node.js, you can set up your API key as an environment variable by adding it to a .env file:

.env

notify_API_KEY=your_api_key_here

Then, access it in your code like so:

const apiKey = process.env.notify_API_KEY;
const fetchData = async () => {
  try {
    const response = await fetch('https://api.notify.com/your-endpoint', {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${apiKey}`,
},
});

    if (!response.ok) {
      throw new Error('Failed to fetch data');
    }

    const result = await response.json();
    console.log('Data:', result);

} catch (error) {
console.error('Error:', error);
}
};

Note: Be sure to add .env to your .gitignore file to prevent accidental commits of sensitive information.

5. Error Handling and Security Responses

Notify's API provides detailed error responses that can help you troubleshoot authentication issues. Common authentication errors include:

  • 401 Unauthorized: The API key is invalid or missing.
  • 403 Forbidden: The request is valid, but the API key does not have permission to access the resource.
  • 429 Too Many Requests: Rate limits have been exceeded.

Handling Authentication Errors

When an error occurs, log the details but avoid logging sensitive information like the API key itself.

Example error handling:

const fetchData = async () => {
  try {
    const response = await fetch('https://api.notify.com/your-endpoint', {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${apiKey}`,
},
});

    if (!response.ok) {
      if (response.status === 401) {
        console.error('Unauthorized: Check your API key.');
      } else if (response.status === 403) {
        console.error('Forbidden: You do not have access to this resource.');
      } else if (response.status === 429) {
        console.error('Rate limit exceeded: Please try again later.');
      } else {
        console.error('Error:', response.statusText);
      }
      return;
    }

    const result = await response.json();
    console.log('Data:', result);

} catch (error) {
console.error('Error:', error);
}
};

6. Monitoring and Logging API Access

Notify's dashboard provides logs for monitoring API access, allowing you to:

  1. View recent requests and detect suspicious activity.
  2. Track usage statistics to optimize and scale your integrations.
  3. Identify and revoke compromised API keys if needed.

Tip: Regularly review your API access logs and set up alerts for unusual activity.