API keys are the primary authentication mechanism for the MigoSMTP and Telnxo REST APIs. A leaked or compromised API key gives an attacker full sending access — the ability to send emails, SMS, voice calls, or WhatsApp messages from your account, depleting your quota and damaging your reputation. This article covers everything you need to know to protect your API keys properly.
Understanding What an API Key Can Do
An API key acts as a password for your platform account. With a valid API key, anyone can:
- Send emails through your MigoSMTP account using your sending domains and IPs.
- Send SMS, voice calls, and WhatsApp messages from your Telnxo account.
- Access your delivery logs, message history, and analytics.
- Manage templates, suppression lists, and domains (depending on key scope).
- Consume your monthly quota, potentially blocking legitimate sending.
Treat your API keys with the same care as you would treat your account password.
The 10 Rules of API Key Security
| # | Rule | Why It Matters |
|---|---|---|
| 1 | Never hard-code keys in source code | Source code is often committed to version control (Git). Hard-coded keys become permanently exposed in your commit history — even if you delete the key from the latest version. |
| 2 | Use environment variables | Store keys in .env files or system environment variables. Ensure .env is in your .gitignore and never committed. |
| 3 | Never share keys via email, Slack, or chat | Chat and email messages may be logged, archived, or visible to third parties. Use a secrets manager to share keys with teammates securely. |
| 4 | Use separate keys per application | If one application is compromised, only that key needs to be rotated — not all applications sharing a single key. |
| 5 | Set the minimum required scope | If an app only needs to send email, create a key with send-only scope. Do not grant admin or reporting access unless the app genuinely needs it. |
| 6 | Rotate keys regularly | Even without a known compromise, rotating keys every 90 days limits the window of exposure if a key was silently leaked. |
| 7 | Never expose keys in client-side code | JavaScript running in a browser, mobile app binaries, or frontend code is publicly inspectable. API calls must always go through your backend server — never directly from the client. |
| 8 | Monitor API key usage | Review the API logs in the platform dashboard regularly. Unusual spikes in volume, unexpected sending times, or unknown recipient domains may indicate a compromised key. |
| 9 | Revoke keys that are no longer in use | Unused keys are a dormant attack surface. Delete keys for decommissioned apps, old projects, or former contractors immediately. |
| 10 | Use a secrets manager for production | In production environments, use tools like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault to store and rotate API keys automatically. |
Correct Way to Store API Keys — Code Examples
Using Environment Variables (Recommended)
.env file (never commit this file):
MIGOSMTP_API_KEY=your_api_key_here TELNXO_API_KEY=your_api_key_here
PHP:
$apiKey = getenv('MIGOSMTP_API_KEY');
Python:
import os
api_key = os.environ.get('MIGOSMTP_API_KEY')
Node.js:
const apiKey = process.env.MIGOSMTP_API_KEY;
What to Do If an API Key Is Compromised
- Revoke the key immediately — go to the platform dashboard (MigoSMTP or Telnxo) → API Keys → find the compromised key → click Revoke. The key is invalidated instantly.
- Generate a replacement key — create a new key and update all applications using it.
- Review API logs — check the API access logs for the period of potential compromise. Look for unusual sending activity, unexpected recipients, or high volume spikes.
- Assess the damage — if unauthorised sending occurred, review your delivery reports and suppression lists to understand what was sent and to whom.
- Notify affected parties — if unauthorised emails or messages were sent to your contacts, consider notifying them depending on the content that was sent.
- Contact Rackwave support — report the compromise so the team can investigate from the infrastructure side and confirm no further exposure exists.
- Audit your codebase — search your entire codebase and commit history for any hard-coded key strings and remove them. Treat the old key as permanently compromised.
Detecting a Compromised Key Early — Warning Signs
- Unexpected spike in sent messages that you did not initiate.
- Delivery reports showing messages to unknown or unusual recipient addresses.
- Monthly quota depleted faster than expected.
- API access log entries from IP addresses or countries you do not operate in.
- Sudden increase in bounce rate or spam complaints — signs of sending to unfamiliar lists.