API Security

Use Solatis APIs securely with proper authentication and rate limiting.

API Basics

Getting Started

Generate API Key:

Settings → API Keys → Generate New Key

Keep your key secret:

Treat like passwords
Don't commit to git
Don't share in code
Rotate periodically

API Authentication

Include in request header:

bash

curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://api.solatis.team/v1/documents

Python:

python

import requests

headers = {
    'Authorization': 'Bearer YOUR_API_KEY'
}
response = requests.get(
    'https://api.solatis.team/v1/documents',
    headers=headers
)

Rate Limiting

Limits per API key:

Free: 100 requests/hour
Pro: 10,000 requests/hour
Enterprise: Custom limit

When rate limited:

HTTP 429 Too Many Requests

Retry-After: 3600 (seconds until reset)

Best practice:

python

import time

try:
    response = requests.get(url, headers=headers)
except requests.exceptions.HTTPError as e:
    if e.response.status_code == 429:
        retry_after = int(e.response.headers.get('Retry-After', 60))
        time.sleep(retry_after)
        response = requests.get(url, headers=headers)

HTTPS Requirements

Always use HTTPS:

✅ https://api.solatis.team/v1/...
❌ http://api.solatis.team/v1/...

HTTP requests are rejected.

Secure Practices

Never Log API Keys

❌ Bad:

python

print(f"Using API key: {api_key}")  # Logs your key!

✅ Good:

python

print("Using API key: [REDACTED]")

Environment Variables

Store keys in environment variables, not code:

bash

export SOLATIS_API_KEY="sk_live_..."

Python:

python

import os

api_key = os.environ.get('SOLATIS_API_KEY')

Rotate Keys Regularly

When to rotate:

After 90 days
If compromised
When employee leaves
When access should be revoked

How to rotate:

Settings → API Keys
1. Generate new key
2. Update application
3. Delete old key

Data Validation

Input Validation

Always validate data before sending to API:

python

# Validate before API call
if not isinstance(document_id, str) or len(document_id) == 0:
    raise ValueError("Invalid document ID")

response = requests.post(
    'https://api.solatis.team/v1/documents',
    headers=headers,
    json={'id': document_id}
)

Output Validation

Always validate API responses:

python

response = requests.get(url, headers=headers)

# Verify response is valid JSON
try:
    data = response.json()
except json.JSONDecodeError:
    print("Invalid JSON response")
    return None

# Validate expected fields
if 'documents' not in data:
    print("Unexpected response structure")
    return None

Error Handling

Common Status Codes

Code	Meaning	Action
200	Success	Use the data
400	Bad Request	Check your input
401	Unauthorized	Check your API key
403	Forbidden	Check your permissions
429	Rate Limited	Wait and retry
500	Server Error	Retry later

Handling Errors

python

response = requests.get(url, headers=headers)

if response.status_code == 401:
    # Invalid API key
    print("Invalid API key")
    return None
elif response.status_code == 403:
    # Permission denied
    print("Access denied")
    return None
elif response.status_code == 429:
    # Rate limited
    print("Rate limited, waiting...")
    time.sleep(60)
    return requests.get(url, headers=headers)
elif response.status_code == 500:
    # Server error, retry
    print("Server error, retrying...")
    time.sleep(5)
    return requests.get(url, headers=headers)

CORS (Web API)

CORS Headers

If calling Solatis API from browser:

javascript

// Browser automatically handles CORS
fetch('https://api.solatis.team/v1/documents', {
    headers: {
        'Authorization': 'Bearer YOUR_API_KEY',
        'Content-Type': 'application/json'
    }
})

Allowed origins:

Any HTTPS origin
Not allowed: HTTP (insecure)

Webhook Security

Webhook Signatures

Verify webhooks are from Solatis:

Header sent:

X-Solatis-Signature: sha256=abcd1234...

Verify signature:

python

import hmac
import hashlib

def verify_signature(request_body, signature, secret):
    expected = hmac.new(
        secret.encode(),
        request_body.encode(),
        hashlib.sha256
    ).hexdigest()
    
    return hmac.compare_digest(signature, expected)

Webhook Best Practices

✅ Do:

Verify signatures
Use HTTPS
Return 200 OK quickly
Process asynchronously
Log all webhooks
Monitor for failures

❌ Don't:

Process synchronously
Make slow operations
Return errors to webhook
Ignore verification

Security Checklist

Before deploying API integration:

[ ] API key in environment variable
[ ] HTTPS only
[ ] Input validation
[ ] Output validation
[ ] Error handling
[ ] Rate limiting handled
[ ] Logging configured (no API keys)
[ ] Webhook signatures verified
[ ] Secrets not in git
[ ] CORS configured correctly
[ ] Timeouts configured
[ ] Retries implemented

Incident Reporting

Found a security issue?

Report to: security@solatis.team

Include:

Description of vulnerability
Steps to reproduce
Potential impact
Your contact info

We'll:

Acknowledge within 24 hours
Investigate immediately
Fix within 72 hours (critical)
Credit you in release notes

API Security ​

API Basics ​

Getting Started ​

API Authentication ​

Rate Limiting ​

HTTPS Requirements ​

Secure Practices ​

Never Log API Keys ​

Environment Variables ​

Rotate Keys Regularly ​

Data Validation ​

Input Validation ​

Output Validation ​

Error Handling ​

Common Status Codes ​

Handling Errors ​

CORS (Web API) ​

CORS Headers ​

Webhook Security ​

Webhook Signatures ​

Webhook Best Practices ​

Security Checklist ​

Incident Reporting ​

Next Steps ​

API Security

API Basics

Getting Started

API Authentication

Rate Limiting

HTTPS Requirements

Secure Practices

Never Log API Keys

Environment Variables

Rotate Keys Regularly

Data Validation

Input Validation

Output Validation

Error Handling

Common Status Codes

Handling Errors

CORS (Web API)

CORS Headers

Webhook Security

Webhook Signatures

Webhook Best Practices

Security Checklist

Incident Reporting

Next Steps