Skip to main content

Access Management

Guidance for retrieving or changing your Sindri credentials.

API Authentication​

We use API keys to identify user accounts in the Sindri API. Your account's API key must be added in the header of all requests; the API Reference section provides details on the API endpoints.

API Key Creation and Management​

After logging into the Sindri front-end, you can create and manage your API Keys within the API Keys Settings page.

danger

Be sure to copy and save your new API Key immediately after creating it because that is the only time it will be visible.

Protecting your API Keys​

You should think of your API key like a password to your account and protect it accordingly. If a third-party obtains your API key, they will have the capability to deploy new versions of our ZK circuits which may contain vulnerabilities or to run up very large usage bills that you will be responsible for. Some best practices around protecting your keys are to:

  1. Use Secure API Key Storage - Never hard-code API keys directly into your codebase. Use environment variables or secure vaults to store your API keys safely. If you're using AWS, then AWS Secrets Manager is a solid option.

  2. Rotate and Set Expiration Dates for API Keys - Set expirations on your keys and rotate them regularly even if you don't think they have been compromised. By default, all new keys created in the web interface will have an expiration of one year after creation, but you have the capability to set a shorter expiration if you create your own key through the API. You also have the capability to manually revoke API keys from your API Keys Settings page if you suspect a key might have been compromised or would like to rotate it out just to be safe.

  3. Take Threats Seriously - It's better to err on the side of revoking a key that might have been compromised than to risk it being used by a malicious actor. If you have any reason to suspect that a key might have been exposed, then you should rotate it out as soon as possible.

  4. Use Keys Judiciously Across Different Environments - Use different keys for different applications or contexts, and give them informative names so you can tell them apart. If you use a single key for everything, then it makes it more disruptive to rotate it out. Using separate keys for CI/CD, your production API, your development environment, and any other locations will make it easier to rotate or revoke keys as necessary.

  5. Enable GitHub Secret Scanning - Enable GitHub Secret Scanning in any private GitHub repositories you use. We participate in GitHub's Secret Scanning Partner Program, so any of your API keys that are exposed in a public repository will automatically be revoked and you will be notified via email that this has occurred with more information. This scanning only applies to public repositories by default, so you will need to opt into secret scanning in your private repositories.

Change Password​

After logging into the Sindri front-end, you can find the Change Password section under the Account Settings page. Here, you will be prompted to enter your existing password, followed by your new password twice.

For security reasons, we recommend choosing a strong password that contains a mix of letters (both uppercase and lowercase), numbers, and special symbols.

Forgot Password​

You can reset your password here. This link can also be found on the login page.