Security best practices

Use these practices to keep your Routic account and API keys safe.

Protect API keys

• Store API keys in environment variables or a secrets manager.
• Do not commit keys to Git, issue trackers, logs, or client-side code.
• Rotate a key immediately if it may have been exposed.

Use separate keys

• Use separate keys for development, staging, and production.
• Delete unused keys instead of leaving them active.
• Name keys clearly so your team can identify where each key is used.

Monitor usage

• Review usage and balance regularly in the console.
• Investigate unexpected traffic, sudden spend changes, or failed requests.
• Contact support with the request timestamp and error response when you need help.

This page will cover:

• Storing API keys securely (environment variables, secret managers)
• Key rotation strategy
• Principle of least privilege (scoped keys, spend limits)
• Network security (IP allowlists, VPN considerations)
• Audit logging and monitoring
• Incident response checklist

See also

• Authentication & API keys
• Observability & request IDs
• Rate limits