Gold Logo

API Keys Security Guidelines

This document outlines the security guidelines for handling API keys in the Gold Digger project. Following these guidelines is crucial to prevent sensitive information from being exposed to the client.

Client vs. Server Environment Variables

Client-Side Variables

Variables with the NEXT_PUBLIC_ prefix are included in the client-side JavaScript bundle and are visible to anyone who visits the website. These should only be used for:

  • Public URLs
  • Feature flags
  • Public configuration values
  • Any value that is safe to be publicly visible

Example:

NEXT_PUBLIC_WEBSITE_URL=https://golddigger.dev

Server-Side Variables

Variables without the NEXT_PUBLIC_ prefix are only available on the server and are never exposed to the client. These should be used for:

  • API keys
  • Secret tokens
  • Database credentials
  • Any sensitive information

Example:

HELIUS_API_KEY=your_secret_api_key

Accessing Server-Side Variables from Client Components

If you need to use a server-side variable (like an API key) in a client component, you should:

  1. Create a server-side API route that uses the API key
  2. Call this API route from your client component

Example:

// app/api/helius/proxy/route.ts (Server)
import { NextResponse } from 'next/server';

export async function POST(request) {
  const body = await request.json();
  
  // Use the server-side API key
  const response = await fetch('https://api.helius.xyz/v1/some-endpoint', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.HELIUS_API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify(body),
  });
  
  const data = await response.json();
  return NextResponse.json(data);
}
// Client component
async function fetchData() {
  const response = await fetch('/api/helius/proxy', {
    method: 'POST',
    body: JSON.stringify({ /* request data */ }),
  });
  
  return await response.json();
}

Common Mistakes to Avoid

  1. Never use NEXT_PUBLIC_ prefix for API keys or secrets
  2. Never hardcode API keys in client-side code
  3. Never commit .env files to version control (use .env.example instead)
  4. Never log sensitive information to the console
  5. Never expose API keys in error messages

Security Checklist

All API keys use server-side environment variables
No API keys are exposed in client-side code
All API requests with keys are proxied through server routes
.env files are in .gitignore
Regular security audits are performed

External API Integrations

Gold Digger integrates with several third-party APIs to enhance functionality. Each of these APIs requires its own API key that must be securely managed.

Helius API

Helius provides enhanced Solana data services that we use for blockchain data indexing, NFT metadata, and real-time transaction monitoring.

// Server-side environment variable
HELIUS_API_KEY=your_helius_api_key

// Example usage in a server component or API route
const response = await fetch('https://api.helius.xyz/v1/nfts?api-key=' + process.env.HELIUS_API_KEY);

Jupiter API

Jupiter is a Solana-based swap aggregator that we use for token swaps and liquidity management.

// Server-side environment variable
JUPITER_API_KEY=your_jupiter_api_key

// Example usage in a server component or API route
const response = await fetch('https://quote-api.jup.ag/v6/quote', {
  headers: {
    'Authorization': `Bearer ${process.env.JUPITER_API_KEY}`
  }
});

CoinMarketCap API

CoinMarketCap provides cryptocurrency market data that we use for token pricing, market analysis, and portfolio tracking.

// Server-side environment variable
COINMARKETCAP_API_KEY=your_coinmarketcap_api_key

// Example usage in a server component or API route
const response = await fetch('https://pro-api.coinmarketcap.com/v1/cryptocurrency/quotes/latest', {
  headers: {
    'X-CMC_PRO_API_KEY': process.env.COINMARKETCAP_API_KEY
  }
});

OpenAI API

We use OpenAI's API for AI-powered features such as content generation, metadata suggestions, and market analysis.

// Server-side environment variable
OPENAI_API_KEY=your_openai_api_key

// Example usage in a server component or API route
import { OpenAI } from 'openai';

const openai = new OpenAI({
  apiKey: process.env.OPENAI_API_KEY
});

const response = await openai.chat.completions.create({
  model: "gpt-4",
  messages: [
    { role: "system", content: "You are a helpful assistant for NFT metadata generation." },
    { role: "user", content: "Generate a description for a gold mining themed NFT." }
  ]
});

API Key Rotation

For enhanced security, we recommend regularly rotating API keys. This process involves:

  1. Generate a new API key from the service provider
  2. Update the environment variable in your deployment platform (e.g., Vercel)
  3. Verify the new key works correctly
  4. Revoke the old API key

We recommend rotating keys every 90 days or immediately if you suspect a key has been compromised.

Monitoring API Usage

Monitor your API usage to detect unusual patterns that might indicate unauthorized access or inefficient code:

  • Set up usage alerts in your API provider dashboards
  • Implement logging for API calls to track usage patterns
  • Review API costs regularly to identify potential optimizations
  • Use rate limiting in your application to prevent accidental overuse