TutorialsAPI Key Security: Origin Allowlist, Expiry, Rotation, Monitoring
apiintermediate

API Key Security: Origin Allowlist, Expiry, Rotation, Monitoring

Lock down your GDShine API keys with origin allowlists, expiry, rotation, and usage monitoring.

6 min read6 steps

What you'll learn

  1. 1Create a scoped API key
  2. 2Add an origin allowlist
  3. 3Set an expiry date
  4. 4Monitor the usage log
  5. 5Rotate a key
  6. 6Revoke a compromised key
1

Create a scoped API key

Go to /dashboard/api-keys and click Generate new key.

Give it a descriptive name — usually the domain or service it's for (e.g., hshare.ink, shopify-integration). This is what shows up in the usage log and makes it easy to spot which key is being used where.

Copy the key immediately — it's only shown once at creation time. Store it in environment variables, never commit to git.

2

Add an origin allowlist

In the Allowed Origins field, enter the domains that are allowed to use this key. Format: comma-separated, just the hostnames (no protocol needed). Examples:

hshare.ink, www.hshare.ink

Any request with a different Origin or Referer header gets rejected with a 403. The rejection is logged in the usage panel, so you can spot if someone leaked your key and tried to use it elsewhere.

Note: Server-side integrations (PHP cURL, Python requests) don't send Origin/Referer by default. If you're calling the API from a server, add Referer: https://yourdomain.com/ to your request headers explicitly.

3

Set an expiry date

For high-trust keys, set an expiry 90-180 days out. When the key expires, all requests start failing with a clear "API key has expired" message.

This is a safety net: even if the key leaks and you don't notice, the damage has a time limit.

For integrations you actively maintain, set a calendar reminder to rotate before expiry.

4

Monitor the usage log

Click any API key to expand its Recent Activity panel. It shows the last 50 calls with:

  • Timestamp
  • HTTP method + path
  • Status code (201 = success, 403 = origin rejection, 401 = invalid key, 429 = rate limit)
  • Origin header (what domain called)
  • IP address

Spikes in 403s from unexpected origins = someone trying to abuse your key. Rotate immediately.

5

Rotate a key

Rotation creates a new key and invalidates the old one. Click the Rotate button on the API key row.

The old key stops working the moment you rotate. Deploy the new key to your integration before rotating (or schedule a brief maintenance window).

Rotation preserves all settings (name, allowed origins, expiry) — you just get a new secret string.

6

Revoke a compromised key

If a key is leaked publicly (e.g., accidentally committed to GitHub), click Delete immediately. The key is removed from the database and every subsequent request is rejected.

Then audit your downloads in history for unusual traffic from the time the key was exposed.

You're done!

You've completed all 6 steps. Questions? Reach out to support.

Previous

Using the GDShine REST API

Browse all tutorials