Ask us anything. We're here to help.

API Security

Zero Hash maintains to the highest security standards as it relates to our API. This page will break down the various features.

Authentication

Zero Hash Uses HMAC SHA-256 verification to ensure the authenticity of every API request. See Authentication section here for more details.

API Keys

General

API keys are created by users on the Portal UI by navigating to the API Keys page under the Administration tab clicking the Add API Key button:Screen_Shot_2021-11-03_at_8.51.49_AM.png

 

 

You will be presented with a few options to fill out:

mceclip0.png

 

Nickname: Personalized identifier for the key. Only relevant for display purposes on the UI after the key has been created.

Passphrase: Another personalized identifier for the key. Should be saved by the user and will be used as the X-SCX-PASSPHRASE header when signing requests.

Expiration Date: Optional expiration date. If left untouched, the key will never expire. This is helpful if you'd like to enforce a regular cadence of key change-out for increased security.

Allowed IPs: This option gives the user the ability to specify a list of IP addresses that can successfully interact with Zero Hash's API's. If enabled, Zero Hash will evaluate the originating IP and compare with the Allow List. If the IP is present within the list, the request will not be rejected. If left untouched, no IP validation will be done.

  • Supported formats: IPv4 and IPv6
  • Maximum number of IPs: 10

API Permissions: Users can specify which of the products a particular key is allowed to interact with. If your organization is only intending on using a subset of products, you can use this feature to limit the risk of unwanted activity. You can also specify read-only keys which may be desired for use cases such as client-side monitoring, alerting, or dash-boarding. 

API Key Approvals

You can also configure your platform to require that newly created API Keys require a certain number of approvals. This is configurable by Zero Hash personnel only, so please reach out if interested.

There is also an audit trail you can view by clicking on the Details button.