VeriWorkly Docs

Docs API Reference Blog

VeriWorkly Docs

Docs API Reference Blog

Introduction

Introduction Documentation API Keys System Overview

Getting Started

Quick Start Local Development Setup Docker Production Deployment Migration Guide (v2.x)

Architecture

Monorepo Architecture State Management PDF Generation Engine Authentication System Database Schema Resume Schema

User Guides

Creating Your First Resume Resume Templates Account Management Exporting and Sharing

Operations

Environment Variables API Key Security Runbook Service Status and Diagnostics

Contributing

Contributing Guide Coding Standards

Compliance

Privacy Policy Terms of Service Security Policy License

API Key Security Runbook

Operational guide for managing API key security, rotation, revocation, and incident response.

API Key Security Runbook

This page explains how to operate API keys safely in production.

What API Keys Are

API keys are like special passes for programmatic access. Each pass should:

only allow the minimum permissions it needs,
expire when appropriate,
be easy to revoke,
never be stored in plain text.

Normal Operating Rules

Create keys with the smallest useful scope.
Set a reasonable expiry date.
Use a lower rate limit for keys that do not need heavy traffic.
Rotate keys on a schedule or when staff change.
Never log the full key value.

If a Key Is Exposed

If you think a key leaked:

Revoke the key immediately.
Check recent usage and suspicious IP addresses.
Rotate any connected integrations.
Review logs for abuse.
If the database was exposed, rotate the API key hash secret as well.

Safe Rotation Process

Use rotation when you want to replace a key without breaking service right away.

Create the replacement key.
Copy it to the application that uses it.
Confirm the application works.
Revoke the old key.

What the System Does Automatically

Stores only a hashed form of the key in the database.
Caches authentication lookups in Redis for speed.
Removes cached authorization data when a key is revoked.
Updates last-used timestamps at a throttled interval instead of every request.

Incident Checklist

When something looks wrong, check these items:

Did a key expire earlier than expected?
Did the key lose a required scope?
Is Redis healthy?
Are rate limits being exceeded?
Are there unusual request spikes from one key?

Release Checklist

Before a production release, confirm:

API_KEY_HASH_SECRET is set.
API_KEY_AUTH_CACHE_TTL_SECONDS is reasonable.
API_KEY_LAST_USED_TOUCH_INTERVAL_SECONDS is set.
API_KEY_DEFAULT_RATE_LIMIT matches product expectations.
ALLOWED_ORIGINS is limited to real frontend domains.

Rule of Thumb

If you can solve a problem by giving a key more access, that is usually the wrong move. Start with less access, shorter lifetime, and faster revocation.

Environment Variables

Comprehensive reference for all configuration options across the VeriWorkly ecosystem.

Service Status and Diagnostics

Operational playbook for monitoring system health, diagnosing service failures, and maintaining platform uptime.

On this page

API Key Security Runbook What API Keys Are Normal Operating Rules If a Key Is Exposed Safe Rotation Process What the System Does Automatically Incident Checklist Release Checklist Rule of Thumb