API Security Best Practice:
How do I maintain a secure API
connection with Deputy?
The Deputy API is a robust tool that enables external systems to access Deputy's functions. Since our customers rely on Deputy to handle confidential information, we strongly recommend implementing basic API security measures to prevent unauthorised access through APIs.
Treat API tokens like a password
It is important to handle API tokens with the same level of security as passwords. These tokens provide access to API to anyone possessing them, therefore it is recommended not to share them through unsecured channels.
Instead, consider using a secure messaging or document system to exchange API token information to ensure that the tokens remain protected and only accessible to those who require them.
Instead, consider using a secure messaging or document system to exchange API token information to ensure that the tokens remain protected and only accessible to those who require them.
Don't re-use the same API token
An API token identifies a client and enables monitoring requests in the API dashboard on a per-client basis. If multiple people have the same API token, there's no reliable way to determine who is making calls to your API.
Periodically refresh API tokens
To avoid long-term access to an API token, it is recommended to periodically refresh or change it. This process is similar to the expiration of passwords.
Monitor user access to APIs
When an individual's access to APIs is no longer required, for instance, if they are a terminated employee, it is important to disable or delete their client profile in Deputy.