Security: internal tools vs public app

Wes Wagner

Hi Xano community 👋

Noob question here: how should I think about security when building API endpoints for an internal tool?

Context and my thought process—
• I plan to use WeWeb to build a front-end for my external users, and I plan to use Xano's authentication features for a password-less login. This makes sense to me.
• I plan to use Jet Admin to build an internal tool. The internal tool will have its own API endpoints, but I'm not sure how I should think about securing them. • Should I set up an "internal" API key to use with Jet Admin?
• Should I generate a random X digit key with Y tool and make that an environment variable in Xano (and require it for every API request from my internal tool? (Jet Admin will handle authentication for accessing the internal tool)
• Are there any best practices here? Are there any best practices I'm not following by using a tool like Jet Admin and outsourcing the internal team authentication to that tool (vs handling it on Xano's side)

Let me know if this makes sense and/or if I can clarify.

Best,

Wes

Ray Deck

Your internal api key idea is the most common practice. It’s often called the client credentials flow.

You make it better by “rotating” that internal key by switching it out every once in a while.

Make the key nice and long and with upper, lower and numbers. No human needs to remember it.

Wes Wagner

Awesome, thank you so much, Ray.