Step 3 – API Key restrictions

You are here:

If you want to prevent unauthorized use and quota theft, you should consider restricting your API Key. API Key restrictions let you specify which websites, IP addresses, or apps can use this key.

The default Key restriction is None, which means exactly that: no restriction at all. If you are going to expose the API Key in the wild, we strongly recommend not to use it. If the Key is not going to be exposed or shared, then you can consider no restriction at all.

If you are going to use the API Key in a javascript application running in a browser like a Single Page Application, then you should consider the HTTP referrers restriction. Applying this restriction your API Key will allow requests that contain the Headers Origin or Referer to let CORS works on your site. You can enter a list of comma-separated hosts without restrictions.

Apility.io API Key restrictions HTTP referrers

Finally, if you are going to use the API behind a firewall and want to restrict what IP can access with your API Key you can enable IP addresses restriction. You can enter a list of comma-separated IP without restrictions.

Apility.io API Key restrictions IP addresses