ArtistGuard

API Key Security

How ArtistGuard stores keys, what to do when one is compromised, and how to rotate safely.

One API key gives full access to your organization's data. That's worth taking seriously.

How keys are stored

When you create a key, ArtistGuard hashes it immediately. The raw value is returned to you once, then gone from our systems.

What this means:

  • We can't recover a lost key. Lose it, revoke it and create a new one.
  • A database breach doesn't expose your keys. Stored hashes can't be reversed.

The prefix visible in the dashboard (like ag_live_xK3m...) is for identification only. It can't authenticate anything.

Signs a key is compromised

  • It was committed to a public Git repo
  • It appeared in application logs that were exposed
  • It was shared with someone who no longer needs access
  • It showed up in a screenshot or recording

Any of these: revoke it immediately. Don't wait.

API Keys page showing a key with its name, prefix, last-used timestamp, and the revoke icon

Revoking a key

Dashboard > API Keys, click the trash icon, confirm. Takes effect immediately. The next request using that key gets 401 Unauthorized.

Rotating keys

  1. Create a new key
  2. Deploy it to your integration
  3. Verify it works
  4. Revoke the old key

Both keys can be active during the transition. Take your time to verify before revoking.

Rotating every 90 days is a reasonable cadence for sensitive environments.

Expiring keys

Set an expiry date when creating a key for temporary access. After that date the key stops working automatically. Good for contractors, campaigns, or short-lived CI environments.

Name your keys well

github-actions-prod is useful. key1 is not. When something breaks and you need to revoke the right key without taking down other integrations, good names matter.

NextSecurity Best Practices