API Authentication & Security
Security is our top priority. This guide covers all authentication methods we support to keep your data safe and your API calls secure.
Authentication Methods
API Key Authentication
The simplest and most common authentication method. Use your API key in the Authorization header:
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://api.aspirecodeai.com/v1/projects
How to get your API key:
- Log in to your dashboard
- Navigate to Settings → API Keys
- Click "Generate New Key"
- Name your key and select its scope
- Copy and store it securely
OAuth 2.0
For third-party integrations and user authentication, we support OAuth 2.0:
POST https://auth.aspirecodeai.com/oauth/token
Content-Type: application/json
{
"grant_type": "client_credentials",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET"
}
OAuth Flows Supported:
- Authorization Code Flow (for web apps)
- Client Credentials Flow (for server-to-server)
- Refresh Token Flow (for long-lived access)
JWT (JSON Web Tokens)
For advanced use cases, we support JWT-based authentication:
Header:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
{
"sub": "user_id",
"iat": 1516239022,
"exp": 1516242622
}
Security Best Practices
Do's
- ✓ Store API keys in environment variables, never hardcode them
- ✓ Use different API keys for development and production
- ✓ Rotate API keys every 90 days
- ✓ Use HTTPS for all API requests
- ✓ Monitor API key usage for suspicious activity
- ✓ Set appropriate scopes for each API key (e.g., read-only, write)
- ✓ Use strong, unique passwords for your account
- ✓ Enable two-factor authentication (2FA) on your account
Don'ts
- ✗ Never commit API keys to version control
- ✗ Never share your API key via email or chat
- ✗ Don't reuse the same API key for multiple projects
- ✗ Never log or expose API keys in error messages
- ✗ Don't use API keys in client-side code (browser)
- ✗ Never give API keys to third parties without proper authorization
Managing Your API Keys
View Your Keys
All your API keys are visible in the dashboard. You can see:
- Key name and creation date
- Last used date and time
- Associated permissions/scopes
- Expiration date (if set)
Rotate a Key
To rotate an API key (recommended every 90 days):
- Generate a new API key
- Update your applications to use the new key
- Test thoroughly
- Delete the old key
Revoke a Key
If you suspect a key has been compromised:
- Go to Settings → API Keys
- Click the key you want to revoke
- Click "Revoke" and confirm
- The key will be immediately deactivated
Rate Limiting
To ensure fair usage, we implement rate limiting on our APIs:
| Plan |
Requests/Hour |
Concurrent Connections |
| Free |
1,000 |
10 |
| Professional |
10,000 |
50 |
| Enterprise |
Unlimited |
Unlimited |
Handling Rate Limits
If you exceed rate limits, you'll receive a 429 (Too Many Requests) response. Implement exponential backoff:
// Exponential backoff example
async function apiCall(url, retries = 3) {
for (let i = 0; i < retries; i++) {
try {
const response = await fetch(url);
if (response.status === 429) {
const delay = Math.pow(2, i) * 1000;
await new Promise(resolve => setTimeout(resolve, delay));
continue;
}
return response;
} catch (error) {
console.error('API Error:', error);
}
}
}
Error Codes & Responses
| Code |
Meaning |
Solution |
| 401 |
Unauthorized |
Check your API key and Authorization header |
| 403 |
Forbidden |
Your key lacks required permissions |
| 429 |
Rate Limited |
Implement exponential backoff |
| 500 |
Server Error |
Contact support, retry after 60 seconds |
Compliance & Standards
We follow industry-leading security standards:
- HTTPS/TLS 1.2+: All communications are encrypted
- GDPR Compliant: We respect user privacy and data protection
- SOC 2 Type II: Regular security audits and monitoring
- End-to-End Encryption: Optional encryption for sensitive data
Support & Resources
For security questions or concerns:
← Back to Documentation
