CleanCloud provides API access so businesses can integrate with third-party systems, build custom tools, and automate workflows.
Because API keys provide authenticated access to your store’s data, it is important to store and manage them securely.
⚠️ Security Best Practice Reminder
API keys provide powerful access to your store’s data. They should only be shared with trusted developers or approved integrations, and should always be stored securely.
Following the best practices below will help protect your account and prevent accidental exposure.
1. Never Expose API Keys in Client-Side Applications
API keys should never be included in code that runs on a user’s device, such as:
Frontend web applications (React, Vue, etc.)
Mobile applications
Desktop applications
Public JavaScript code
If an API key is embedded in client-side code, it can often be extracted by inspecting network traffic or reviewing the application’s source code.
💡 Recommended Approach: Use a Backend Proxy
Instead of calling the CleanCloud API directly from a client application:
Your frontend sends requests to your backend server
Your backend securely stores the API key
The backend attaches the API key when communicating with the CleanCloud API
This ensures the API key remains secure and is never exposed publicly.
2. Use Environment Variables for Local Development
When developing integrations locally, avoid hardcoding API keys into your code.
Instead, store credentials using environment variables.
For example, you can store your API key in a .env file:
CLEANCLOUD_API_KEY=your_api_key_here
Your application can then read this variable securely at runtime.
It is also recommended to include a .env.example file in your project with placeholder values. This allows other developers to understand which environment variables are required without exposing real keys.
3. Protect API Keys in Version Control
One of the most common ways API keys are accidentally exposed is through version control systems such as GitHub.
To prevent this:
Add
.envfiles and other configuration files containing secrets to your .gitignoreAvoid committing API keys or credentials to public repositories
Use secret scanning tools to detect exposed keys before they are committed
Examples of tools include:
GitHub Secret Scanning
git-secrets
These tools can automatically detect and block commits containing identifiable API keys.
4. Secure API Keys in Production Environments
When deploying applications, API keys should be stored using secure environment management systems rather than local configuration files.
Many hosting platforms provide built-in tools to manage environment variables securely, including:
Vercel
Heroku
Netlify
For larger cloud deployments, dedicated secret management services can provide additional protection. These services encrypt keys and control which applications are allowed to access them.
Common options include:
AWS Secrets Manager
Google Cloud Secret Manager
Azure Key Vault
HashiCorp Vault
👉 If You Believe Your API Key Has Been Exposed
If you believe your API key may have been exposed or shared unintentionally, please contact CleanCloud Support immediately.
Our team can help regenerate your API key and ensure your account remains secure.
🛟 Need more help?
Explore our Help Center articles for answers. Contact us for further assistance.