Skip to Content
User GuidesAPI Security Guide - Miniback Documentation

API Security Best Practices

Learn how to securely use Miniback’s API while protecting your data and staying within plan limits.

🔒 Security Checklist

  • Store in environment variables (.env files, never commit)
  • Server-side only (NEVER in client-side JavaScript)
  • Use header auth: x-api-key: mbk_your_key
  • Regenerate if exposed (Project → API Access → Regenerate)
  • Rotate every 90 days (best practice)

Access levels: FREE (POST only) • STARTER (full CRUD) • PRO (unlimited)

API Key Basics

What is an API Key?

Your API key is a secret token that identifies your project and grants programmatic access to Miniback’s API. It acts like a password for your application.

Format: mbk_ followed by a random string Example: mbk_1a2b3c4d5e6f7g8h9i0j

Plan-Based API Access

PlanAccess LevelEndpointsRate Limit
FREELimitedPOST feedback only300 calls/month
STARTERFullAll CRUD operations10,000 calls/month
PROFullAll CRUD operationsUnlimited

Generating Your First API Key

Step 1: Navigate to Project Settings

  1. Sign in to your Miniback dashboard
  2. Select your project
  3. Click on the project name to view details
  4. Scroll to “API Access” section

Step 2: Generate Key

  1. Click “Generate API Key” button
  2. Your key appears immediately - copy it now
  3. The key is only shown once - store it securely

Step 3: Save Securely

Store your API key in a secure location:

Good practices:

  • Environment variables (.env file)
  • Secret management services (AWS Secrets Manager, HashiCorp Vault)
  • Password managers (1Password, LastPass)
  • CI/CD secret stores (GitHub Secrets, GitLab CI Variables)

Never:

  • Commit to version control (Git)
  • Hardcode in client-side JavaScript
  • Share via email or chat
  • Store in plain text files

Using API Keys Safely

Server-Side Only

✅ CORRECT: Server-side usage

// Backend/server code - Node.js example
const fetch = require('node-fetch');
 
async function submitFeedback(message) {
  const response = await fetch('https://your-domain.com/api/projects/proj_123/feedback', {
    method: 'POST',
    headers: {
      'x-api-key': process.env.MINIBACK_API_KEY, // From environment variable
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({ message })
  });
  return response.json();
}

❌ INCORRECT: Client-side exposure

// DON'T DO THIS - exposed in browser!
async function submitFeedback(message) {
  const response = await fetch('https://your-domain.com/api/projects/proj_123/feedback', {
    method: 'POST',
    headers: {
      'x-api-key': 'mbk_1a2b3c4d5e6f7g8h9i0j', // DANGER: Exposed to users!
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({ message })
  });
}

Environment Variables

Set up environment variables:

# .env file (add to .gitignore!)
MINIBACK_API_KEY=mbk_1a2b3c4d5e6f7g8h9i0j
MINIBACK_PROJECT_ID=proj_123abc
// Access in your code
const apiKey = process.env.MINIBACK_API_KEY;
const projectId = process.env.MINIBACK_PROJECT_ID;

.gitignore (CRITICAL)

# Always ignore .env files
.env
.env.local
.env.production
.env.*.local

# Prevent committing keys
secrets.json
config/keys.js

Authentication Methods

curl -H "x-api-key: mbk_YOUR_KEY_HERE" \
  https://your-domain.com/api/projects/proj_123/feedback

Advantages:

  • More secure (not logged in URLs)
  • Standard practice
  • Cleaner code

Query Parameter Authentication

curl "https://your-domain.com/api/projects/proj_123/feedback?api_key=mbk_YOUR_KEY_HERE"

Caution:

  • May appear in server logs
  • Visible in browser history
  • Use only when headers aren’t possible

Regenerating API Keys

When to Regenerate

Regenerate your API key if:

  • ⚠️ Compromised: Key was exposed publicly (GitHub commit, logs, etc.)
  • ⚠️ Team member left: They had access to keys
  • ⚠️ Suspicious activity: Unusual API usage patterns
  • Regular rotation: Every 90 days (best practice)

How to Regenerate

  1. Go to project settings → API Access
  2. Click “Regenerate Key”
  3. Confirm the action
  4. Important: Old key stops working immediately
  5. Copy new key and update all integrations
  6. Test to confirm new key works

Security Checklist

Before going to production:

  • API keys stored in environment variables
  • .env files added to .gitignore
  • No hardcoded keys in code
  • Separate keys for dev/staging/prod
  • API calls made from server-side only
  • Rate limiting handled in code
  • Key rotation schedule planned

What’s Next?

Need help? See Troubleshooting or contact support.

Last updated on
Analytics Dashboard Guide - Miniback DocumentationBilling & Plans Guide - Miniback Documentation