Authentication

Best practices for API and dashboard authentication

Authentication Overview

Daily Event Insurance uses industry-standard authentication methods to secure API access and user accounts. We support multiple authentication methods depending on your integration type, all designed to provide strong security while maintaining ease of use.

Authentication Methods

API Keys

Server-to-server integration

High Security

Features:

Long-lived credentials
Environment-specific keys
Rate limiting built-in
IP whitelisting available

Best for:

Backend integrations, automated systems

OAuth 2.0

User authorization

Very High Security

Features:

Token-based authentication
Scoped permissions
Short-lived access tokens
Refresh token support

Best for:

Third-party applications, user-facing apps

JWT Tokens

Stateless authentication

High Security

Features:

Self-contained tokens
Signature verification
Expiration handling
Custom claims support

Best for:

Microservices, distributed systems

Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring two or more verification factors. We strongly recommend enabling MFA for all accounts, and require it for admin access.

Authenticator App

Recommended

TOTP-based verification (Google Authenticator, Authy)

SMS Verification

One-time code sent via text message

Email Verification

One-time code sent via email

Hardware Keys

Recommended

FIDO2/WebAuthn security keys (YubiKey)

Authentication Best Practices

Credential Management

Never hardcode API keys in source code
Use environment variables for sensitive data
Rotate credentials every 90 days
Use different keys for dev/staging/production
Store keys in secure vaults (AWS Secrets Manager, etc.)
Revoke unused or compromised keys immediately

Session Management

Use secure, httpOnly cookies for session tokens
Implement proper session timeout (15-30 minutes)
Regenerate session IDs after authentication
Implement logout on all devices
Use CSRF tokens for state-changing operations
Log session events for audit trail

Password Security

Enforce minimum 12 character passwords
Require mix of uppercase, lowercase, numbers, symbols
Implement password strength meter
Prevent common/breached passwords
Use bcrypt/argon2 for password hashing
Implement account lockout after failed attempts

Access Control

Implement role-based access control (RBAC)
Follow principle of least privilege
Separate read and write permissions
Log all access attempts
Review and audit permissions regularly
Require re-authentication for sensitive actions

Code Examples

Secure API Key Usage (Node.js)

// ❌ Bad: Hardcoded API key
const apiKey = 'sk_live_EXAMPLE_DO_NOT_USE';

// ✅ Good: Environment variable
const apiKey = process.env.DAILY_EVENT_API_KEY;

// ✅ Better: Validate key exists
if (!process.env.DAILY_EVENT_API_KEY) {
  throw new Error('API key not configured');
}

const apiKey = process.env.DAILY_EVENT_API_KEY;

API Request with Authentication

const response = await fetch('https://api.dailyevent.com/v1/quotes', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json',
    'X-Request-ID': generateRequestId(), // For tracing
  },
  body: JSON.stringify(quoteData)
});

// Always check response status
if (!response.ok) {
  if (response.status === 401) {
    // Handle authentication error
    throw new Error('Invalid API key');
  }
  throw new Error('API request failed');
}

Secure Token Storage (Frontend)

// ❌ Bad: localStorage for sensitive tokens
localStorage.setItem('access_token', token);

// ✅ Good: httpOnly cookie (set by backend)
// Cookie: access_token=...; HttpOnly; Secure; SameSite=Strict

// ✅ For short-lived tokens in memory
class TokenManager {
  #accessToken = null;

  setToken(token) {
    this.#accessToken = token;
    // Clear token after expiration
    setTimeout(() => this.#accessToken = null, 15 * 60 * 1000);
  }

  getToken() {
    return this.#accessToken;
  }
}

Common Authentication Mistakes

Exposing API keys in client-side code

High

Keys can be stolen and abused

Use server-side proxy or OAuth flow for client apps

Not validating tokens on every request

High

Expired/revoked tokens may be accepted

Implement middleware to verify tokens on all protected routes

Using weak password requirements

Medium

Accounts vulnerable to brute force

Enforce strong password policies and rate limiting

Storing passwords in plain text logs

Critical

Complete compromise of user credentials

Sanitize logs to remove sensitive data before storage

Not implementing MFA for admin accounts

High

Single point of failure for critical access

Require MFA for all privileged accounts

Additional Resources

API Documentation

Complete API reference with authentication examples

API Security

Security guidelines for API usage

Security Support

Contact our security team for help

Next: API Security

Back to Security Center

Authentication Methods

API Keys

Server-to-server integration

High Security

Features:

Long-lived credentials
Environment-specific keys
Rate limiting built-in
IP whitelisting available

Best for:

Backend integrations, automated systems

OAuth 2.0

User authorization

Very High Security

Features:

Token-based authentication
Scoped permissions
Short-lived access tokens
Refresh token support

Best for:

Third-party applications, user-facing apps

JWT Tokens

Stateless authentication

High Security

Features:

Self-contained tokens
Signature verification
Expiration handling
Custom claims support

Best for:

Microservices, distributed systems

Authentication Best Practices

Credential Management

Never hardcode API keys in source code
Use environment variables for sensitive data
Rotate credentials every 90 days
Use different keys for dev/staging/production
Store keys in secure vaults (AWS Secrets Manager, etc.)
Revoke unused or compromised keys immediately

Session Management

Use secure, httpOnly cookies for session tokens
Implement proper session timeout (15-30 minutes)
Regenerate session IDs after authentication
Implement logout on all devices
Use CSRF tokens for state-changing operations
Log session events for audit trail

Password Security

Enforce minimum 12 character passwords
Require mix of uppercase, lowercase, numbers, symbols
Implement password strength meter
Prevent common/breached passwords
Use bcrypt/argon2 for password hashing
Implement account lockout after failed attempts

Access Control

Implement role-based access control (RBAC)
Follow principle of least privilege
Separate read and write permissions
Log all access attempts
Review and audit permissions regularly
Require re-authentication for sensitive actions

// ❌ Bad: Hardcoded API key const apiKey = 'sk_live_EXAMPLE_DO_NOT_USE'; // ✅ Good: Environment variable const apiKey = process.env.DAILY_EVENT_API_KEY; // ✅ Better: Validate key exists if (!process.env.DAILY_EVENT_API_KEY) { throw new Error('API key not configured'); } const apiKey = process.env.DAILY_EVENT_API_KEY;

// ❌ Bad: localStorage for sensitive tokens localStorage.setItem('access_token', token); // ✅ Good: httpOnly cookie (set by backend) // Cookie: access_token=...; HttpOnly; Secure; SameSite=Strict // ✅ For short-lived tokens in memory class TokenManager { #accessToken = null; setToken(token) { this.#accessToken = token; // Clear token after expiration setTimeout(() => this.#accessToken = null, 15 * 60 * 1000); } getToken() { return this.#accessToken; } }