Choose an appropriate authentication method
You should choose an authentication method that is appropriate for the task you want to accomplish.
- To use the API for Server to Server communication, you can create an Access Token.
- To use the API by an authenticated user, you should use User Tokens.
Limit the permissions of your tokens
When creating a Access Token, only select the minimum permissions or scopes needed.
Store your Access Tokens securely
Treat Access Tokens the same way you would treat your passwords or other sensitive credentials.
- Don't share Access Tokens using an unencrypted messaging or email system.
- Don't push unencrypted tokens or keys to any repository, even if the repository is private.
Limit who can access your Access Tokens
If you need to share Access Tokens with a team, store the credentials in a secure shared system. For example, you could store and share passwords securely using 1Password, or you could store keys in Azure Key Vault and manage access with your IAM (Identity and access management).
Use Access Tokens securely in your code
Never hardcode authentication credentials like tokens, keys, or app-related secrets into your code. Instead, consider using a secret manager such as Azure Key Vault.
If none of these options are possible, you can store authentication credentials in a .env file. Make sure to encrypt your .env file, and never push it to any repository.
Prepare a remediation plan
You should create a plan to handle any security breaches in a timely manner. In the event that your token or other authentication credential is leaked, you will need to:
Generate a new Access Token.
Replace the old token with the new one everywhere that you are storing or accessing the token.
Delete the old compromised token.
For information about creating and deleting Access Tokens, see Managing your personal access tokens