Authentication (API Keys)

API Development And
Integration Guide

Authentication (API Keys)

What Are API Keys?

x-api-key is WUPEX’s primary authentication mechanism.

Why You Should Use Sandbox First

Issue unique API keys per user and environment (sandbox vs production).
Use it as a bearer token in HTTP headers to identify your account.

How to Obtain and Use API Keys

1. Sandbox Key

Access your sandbox API key via:
 https://sandbox-portal.wupex.com/
 Use this key when testing in sandbox.

2. Production Key

Retrieve your live API key from:
 https://portal.wupex.com/settings
 Use this key when interacting with production.

Required Header for All API Calls:

make file

x-api-key: YOUR_API_KEY
Accept-Language: en-US

Security Best Practices

Secure Storage
Never hardcode keys in source code or store them in public repositories.
Store keys in environment variables or secrets managers (e.g., AWS Secrets Manager, Vault) .
Restrict Usage
Limit key access by IP address, environment, or specific endpoints.
Rotate or regenerate keys regularly to minimize the impact of any exposure
Rotate and Revoke
Periodically rotate your API keys (recommended every 30–90 days).
Immediately revoke any unused or suspected-compromised keys .
Use Secure Transmission
All WUPEX API traffic should be via HTTPS (TLS).
Avoid passing keys as query parameters—always use headers & secure channels
Track Access
Use monitoring/logging to track API usage and detect anomalies.
Set rate limits and alert thresholds to catch abuse early
Client-Side Exposure
Do not expose API keys in client-side code (JavaScript, mobile apps).
Use your own backend to make API requests, keeping keys server-side

Recommended Key Management Process

Step	Action
1	Generate sandbox key and develop/test your integration
2	Safely store keys in environment variables or secure vault
3	Rotate keys every 30–90 days
4	Revoke old/unneeded keys promptly
5	Similar limits; may be designed for testing

Why It Matters

Proper API key management helps to:

Prevent misuse and minimize impact of leaks
Comply with security standards (e.g., PCI, GDPR)
Ensure service continuity by avoiding accidental rate limits or unauthorized access

Example (Node.js)

https

const apiKey = process.env.WUPEX_API_KEY;
fetch(`${baseUrl}/api/product/merchant/invited/list`, {
  method: 'POST',
  headers: {
    'x-api-key': apiKey,
    'Accept-Language': 'en-US',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ page:1, pageSize:20 })
});

This setup follows industry-standard security protocols and ensures safe, seamless integration with both sandbox and production WUPEX environments.