Skip to main content

API security

For security best practices, rotate your API keys regularly:

  1. Create a new API key. For more information, see Get an API key.
  2. Update your application to use the new key.
  3. Test that the new key works correctly.
  4. Delete the old key from your dashboard.

Revoke API keys

Revoking an API key immediately stops all requests using that key. Ensure you've updated your applications with the new key before revoking old keys.

  1. After you have created and used the new key with your application, log in to your Instacart Developer Dashboard.
  2. Navigate to the API Keys section.
  3. Find the key you want to revoke.
  4. Click Revoke.
  5. Confirm the action.

Security recommendations

Storage

  • Store API keys in environment variables or secure configuration management systems.
  • Never commit API keys to version control.
  • Use different keys for different environments.

Access control

  • Limit API key permissions to only what's necessary.
  • Use separate keys for different applications or services.
  • Regularly audit which keys are in use.

Monitor API keys

  • Monitor API key usage in your dashboard.
  • Set up alerts for unusual usage patterns.
  • Review access logs regularly.

For additional help, contact Developer Support.

Last updated on