Best Practises for Infura API Key Management

This article outlines the various techniques Infura supports to help keep your API credentials safe. It covers best practices for managing credentials and tokens, including API keys, JSON Web Tokens (JWT), and API key secrets for secure verification.

Failing to handle secrets appropriately can have disastrous consequences. Poor practices, such as hard-coding secrets directly in the source code, put credentials at risk. When these credentials are leaked to public and open-source repositories, they become scannable and, therefore, compromised. Once a key is exposed, unauthorized users can exploit your project’s request quota, resulting in unexpected costs.

Even in private repositories, your developer team is often dynamic. Hard-coding secrets make them accessible to the entire team, allowing individuals to take these secrets with them when they leave. Proper secret management is crucial, as insecure transmission of client-side secrets makes them vulnerable to exposure.

Infura supports developers in applying industry best practices to leverage our API and authenticate requests securely.

How Infura supports best practices

1. Secure key sharing

A key owner can share key access through Infura's secure dashboard environment. The shared key will appear in the contributor's account, allowing them to view any associated JWT or API key secret. Contributors will have view-only permissions and won't be able to update these values, as updates are restricted to the key owner. This setup lets your team use Infura's dashboard for secure key sharing and management.

However, safely accessing keys is just one aspect of security; how you use these keys also impacts your security profile. What best practices should you follow? Let’s explore how you and your team can ensure the best security for your dapps.

2. Granular control

The API key is your entry point to Infura's services, so each key must apply the principle of least privilege. API keys with overly broad permissions increase the impact of a compromise. While Infura's free plan is limited to one key, the paid plans allow you to create additional keys and assign granular permissions for each specific use case, reducing the impact of a compromised API key.

Segregate environments
It's recommended that you set up different keys for different environments, that is, create separate keys for use in development, staging, and production environments.

Key scope
As mentioned previously, granular control over what each API key does is vital to reduce the impact of any security incident. Each API key has several settings to control its scope.

Limit network access
You must nominate which networks each key may access and whether it may access the mainnet, testnet, or both.

Allowlists
Each key's scope can be further controlled using allowlists. API keys can be assigned to only work with specified:

• User agents
• Origins
• Request methods
• Contract addresses: for those RPC methods that take an Ethereum address parameter

3. Authenticate requests

Infura supports two authentication methods. You may require either a JWT or an API key secret for all requests or an API key secret and supply a JWT.

API key secret
Each API key can be configured to work only when paired with its API key secret. The API key secret is an excellent choice if your dapp includes server-side components. The API key secret provides a two-pronged approach that strengthens the authentication process by ensuring that requests are only accepted from authorized sources. 

Store and use the API key secret on the server side to prevent exposure to client-side risks, such as malicious actors gaining access through browser inspection tools or network monitoring.

JSON Web Token (JWT)
Infura supports JWTs, allowing you to embed claims and enforce authorized access with a JWT. Embedding specific claims in the token narrows the scope of what can be achieved if the token were compromised, severely limiting the token’s utility. 

A JWT may be required for all requests, or you can create allowlists to restrict specific activity to users without JWTs. By providing support for JWT, Infura enables you to:

• Verify and authenticate access requests.
• Control the expiration date of claims: if the token is leaked, its use will be short-term.
• Embed allowed contract addresses: by constructing the JWT dynamically, there is no need to return to Infura’s dashboard to update address details.
• Specify allowed domains and IP addresses for token use: by constructing the JWT dynamically, there is no need to return to Infura’s dashboard to update allowed request origins.

For example, in a system with proxy contracts, allowlists can restrict users to sending requests to their own proxy only. In this way, only authenticated users can leverage your API key by including a JWT in their request headers. 

To improve your app’s security, we recommend leveraging cryptographic signing methods such as RSA or ECDSA (specifically ES256) to ensure the authenticity of the JWT data. These methods use asymmetric key pairs to guarantee the data’s authenticity.

Furthermore, Infura allows you to upload up to three JWT keys for each API key to support key rotation. You may even use both signing methods.

Mitigating secret leakage

You have already mitigated the damage by limiting the scope of the credentials and setting up a second layer of authentication. However, should a breach occur, you want to know about it as soon as possible to minimize damage through quick detection and response. What more can you and your team do to keep your Infura secrets safe?

1. Rate limits

Infura's rate limits ensure that each key is protected from abuse that can follow unintended access. Once someone reaches the key's threshold, they cannot run up your bill. You may apply a per-second or per-day limit.

2. Monitor

Rather than being alerted to a breach when a key is maxed out, we recommend monitoring your key's usage statistics to identify unusual traffic.

3. Apply best practices for securing keys

The safest approach is to keep the files outside your application's source tree to ensure your keys do not end up in your source code control system. Several secret service providers, such as GitHub Action, GCP, and AWS, may be leveraged to harden your team's security by removing the need to share keys.

Share API Keys securely
When you share keys, consider activating Infura’s 2FA login and using Infura’s project sharing feature to allow your team to access keys securely. If you transmit keys, consider how to do so securely. Transmitting API keys over insecure channels (e.g., HTTP) can expose them to interception, so always use HTTPS to encrypt data in transit. It's also best to verify SSL/TLS certificates to prevent man-in-the-middle attacks.

Don't use plain text (through emails or chat) when transmitting API keys, as this increases the risk of accidental exposure. Rather, use secure methods for sharing API keys, such as password managers or encrypted communication.

Once keys are safely shared, encourage everyone on your team to follow best practices. First, this means no one embeds API keys directly into the code. When teams wish to keep a key within an app source tree, they must place the key in an environment file and add it to their .gitignore. 

4. Rotate and delete secrets regularly

Static credentials that are never rotated become ever more vulnerable to exposure. Implement a regular rotation policy for all of your Infura project credentials. Use automation to update keys in applications and configurations seamlessly. Furthermore, to minimize your exposure to attack, delete any API keys you no longer need.

5. Regularly scan repositories

Set up third-party tools to regularly scan repositories for exposed secrets, for example, GitGuardian or TruffleHog. If a code review does reveal a secret, then you will need to undertake a git clean.

As is so often the case, prevention is better than the cure. At Infura, we are passionate about self-custody and advocate a strong security mindset to protect dapp users. By applying the strategies outlined here, you can minimize the likelihood of secret exposure and the impact of any breach.

What next?

Consider running through the tutorial that covers authenticating an Infura API call with JWT. If you’re new to key management, consider OWASP’s Key Management Cheat Sheet. Are you building in JavaScript? Learn about the LavaMoat toolset for securing JavaScript projects against malicious dependency attacks.