Security & Key Management
Overview
All Que API requests (except /healthz) require an API key provided in
the x-api-key header. API keys grant access to provenance operations
like signing and verifying assets. Protect them as you would any other
secret.
Best Practices
1. Store Secrets Securely
- Use environment variables (
ENV_VAR) or dedicated secret managers (AWS Secrets Manager, HashiCorp Vault). - Never commit keys to GitHub or config files.
# Example in Linux
export QUE_API_KEY="your-key-here"// Example in TypeScript
import { Que } from "que-sdk";
const que = new Que({
apiKeyAuth: process.env["QUE_API_KEY_AUTH"] ?? "",
});
// The SDK automatically handles API key authentication
const result = await que.verifyAsset({
asset: { url: "https://example.com/asset.jpg" },
includeCertificates: true,
});2. Use Least Privilege
Request only the API key permissions you need for your use case. Do not reuse production keys in development or CI.
3. Rotate Keys Regularly
Generate new keys periodically and revoke old ones. This limits the window of exposure if a key leaks.
4. Avoid Client-Side Exposure
Important
Never embed raw API keys in browser or mobile apps. Instead, proxy requests through your backend.
5. Apply Network Security Controls
- Use HTTPS at all times.
- Restrict outbound requests to known Que hosts.
- Monitor API usage via your usage dashboard.
Example: Passing an API Key
import os
from que_media import Que
with Que(
api_key_auth=os.getenv("QUE_API_KEY_AUTH", ""),
) as que:
result = que.verify_asset(asset={
"url": "https://example.com/asset.jpg"
}, mode="summary", include_certificates=True)
import json
report = json.loads(result.report)
print(report)Tip
Run all tests with sandbox keys first. Switch to production keys only when you’re confident.