Security: Protect and Rotate API Tokens
Secure your API integrations with production-grade token management. Master secret storage, token rotation, scoping, environment security, and leak detection for bulletproof API security.
TL;DR
- NEVER commit tokens to Git—use environment variables and secret managers
- Rotate tokens every 90 days (or immediately if compromised)
- Use token scoping: limit each token to specific APIs and rate limits
- Implement leak detection with services like GitGuardian or GitHub Secret Scanning
- Store tokens in encrypted secret managers (AWS Secrets Manager, HashiCorp Vault)
- Use separate tokens for dev, staging, and production environments
Why API Token Security Matters
A single leaked API token can drain your entire points balance in minutes. Production systems require bulletproof token management: secure storage, regular rotation, granular scoping, and leak detection. This guide covers enterprise-grade practices for protecting your AppHighway tool tokens.
Secret Management Best Practices
Environment Variables
Store tokens in environment variables, never in code
APPHIGHWAY_API_TOKEN=your_token_here (in .env file, added to .gitignore)
Best for: Development and small projects
Secret Managers
Use dedicated secret management services for production
AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, Google Secret Manager
Best for: Production systems and team environments
CI/CD Secret Storage
Store tokens in CI/CD platform secret stores
GitHub Secrets, GitLab CI/CD Variables, CircleCI Contexts
Best for: Automated deployments and testing
Token Rotation Strategies
Why rotate tokens? Compromised tokens, employee turnover, compliance requirements, and reducing blast radius of potential leaks.
Rotation Schedule
Regular rotation: Every 90 days
Immediate rotation: When token is compromised or suspected leak
Employee turnover: Rotate all tokens when team member leaves
Post-audit: Rotate tokens after security audits
Zero-Downtime Rotation
Step 1: Generate new token in AppHighway dashboard
Step 2: Deploy new token to production (keep old token active)
Step 3: Monitor traffic—ensure all services use new token
Step 4: Revoke old token after 24-hour grace period
Token Scoping & Permissions
AppHighway supports multiple tokens with granular scoping. Create separate tokens for different use cases to minimize blast radius.
Production Token
All APIs, 1000 req/min rate limit
Production workloads only
Development Token
Limited APIs, 60 req/min rate limit
Local development and testing
CI/CD Token
Test APIs only, 120 req/min rate limit
Automated testing pipelines
Analytics Token
Read-only analytics APIs
Dashboard and monitoring systems
Benefits: Compromised dev token doesn't affect production, revoke specific tokens without disrupting other systems, audit trail per token.
Leak Detection & Response
Detection Tools
GitGuardian: Real-time secret scanning in Git repos
GitHub Secret Scanning: Automatic detection in GitHub repos
Trufflebot: Open-source secret scanning
Custom regex scanning: Scan logs and error messages for token patterns
Incident Response Plan
1. Immediately revoke compromised token in AppHighway dashboard
2. Generate new token and deploy to production
3. Audit API usage logs for suspicious activity
4. Check points balance for unauthorized usage
5. Document incident and update security procedures
Real-World Example: E-commerce Platform Token Management
❌ Before Security Hardening
Single token for all environments (dev, staging, prod)
Token stored in .env file committed to Git
No token rotation (same token for 2 years)
Full API access with no scoping
⚠️ Incident: Developer laptop stolen, 50,000 points drained overnight
✅ After Security Hardening
Separate tokens for dev (60 req/min), staging (300 req/min), prod (1000 req/min)
Tokens stored in AWS Secrets Manager with IAM role-based access
Automatic 90-day rotation with zero-downtime deployment
Token scoping: dev token limited to 5 non-critical APIs
GitGuardian monitoring all repos for leaked secrets
Incident response playbook with 15-minute token revocation SLA
✅ Result: Zero security incidents in 18 months, compliance audit passed
Environment-Specific Security
Development Environment
Use low-limit tokens (60 req/min)
Store in local .env file (never commit)
Rotate monthly or when developer leaves
Staging Environment
Use moderate-limit tokens (300 req/min)
Store in CI/CD secret variables
Rotate quarterly or before major releases
Production Environment
Use high-limit tokens (1000 req/min)
Store in secret manager (AWS/Vault/Azure)
Rotate every 90 days with zero-downtime process
Monitor usage with alerts for anomalies
Security Checklist
✅ All tokens stored in environment variables or secret managers
✅ No tokens committed to Git (check with git log -S 'APPHIGHWAY')
✅ Separate tokens for dev, staging, and production
✅ Token rotation schedule configured (90 days)
✅ Leak detection tool monitoring repositories (GitGuardian)
✅ Incident response plan documented and tested
✅ Token scoping implemented (rate limits + API restrictions)
✅ Access control: only authorized personnel can access production tokens
Next Steps
Secure your tokens today
Manage API Tokens
Create scoped tokens, set rate limits, and monitor usage in the AppHighway dashboard.
Monitoring & Logging Guide
Learn how to track API usage and detect anomalies with the analytics dashboard.
Security is Not Optional
A single leaked token can cost thousands of dollars and expose sensitive data. Token rotation, scoping, secret management, and leak detection are non-negotiable for production systems. Implement these practices today—your future self will thank you.
Ready to secure your tokens? Review your current setup with the security checklist above.