Authentication & Security
Learn how to securely authenticate and manage API keys, tokens, and webhook secrets for RunAsh integrations.
Security is critical for live commerce integrations. This guide covers API key best practices, token management, server-side authentication patterns, webhook verification, and operational security recommendations.
RunAsh issues secret API keys for server-to-server authentication. These keys grant access to your account's APIs and should be treated like passwords.
- Store keys in server-side environments only (never embed secrets in client-side code).
- Use separate keys for development and production environments.
- Prefer scoped keys when available (limit a key to read-only, analytics-only, or streaming-only actions).
curl -X GET "https://api.runash.in/v1/streams" \ -H "Authorization: Bearer sk_live_XXXXXXXXXXXX"
Always keep secrets on the server. If a browser or mobile client needs to call RunAsh APIs, have it call your backend which performs the authenticated request.
- Client → Your backend (authenticated, e.g., session or short-lived token).
- Your backend → RunAsh API using secret API key stored in environment variables.
- Return only non-sensitive results to the client.
// server.js
const runash = require('@runash/sdk')({ apiKey: process.env.RUNASH_API_KEY });
app.post('/api/create-stream', async (req, res) => {
const stream = await runash.streams.create(req.body);
res.json({ id: stream.id, push_url: stream.push_url });
});Regularly rotate keys and have a process to revoke compromised keys quickly. Follow a rotate-withoverlap flow:
- Create a new key.
- Deploy code using the new key while keeping the old key active.
- Verify behavior, then revoke the old key once traffic is confirmed.
Use the principle of least privilege — give keys only the permissions they need. If RunAsh supports scoped keys, create separate keys for:
- Stream control (create/update stream sessions)
- Product management (create/update products)
- Analytics export (read-only)
- Webhook signing (separate secret for verifying payloads)
Tokens and API keys must never be embedded in client-side bundles, mobile apps, or browser JavaScript. If you need short-lived access from clients, issue short-lived tokens from your backend (TTL of minutes to hours).
// 1) Client authenticates to your backend (session) // 2) Backend issues temporary token (expires in 10m) // 3) Client uses temporary token to call limited endpoints
Verify webhooks to ensure payloads come from RunAsh. We sign webhook payloads with a secret; your server should validate the signature (HMAC-SHA256) before processing.
// Node.js (pseudo)
const crypto = require('crypto');
const payload = await getRawBody(req);
const signature = req.headers['x-runash-signature']; // e.g. t=timestamp,v1=hexsig
const expected = crypto
.createHmac('sha256', process.env.RUNASH_WEBHOOK_SECRET)
.update(payload)
.digest('hex');
if (!timingSafeEqual(expected, signature)) {
return res.status(400).send('Invalid signature');
}- Store secrets in environment variables or a secrets manager (HashiCorp Vault, AWS Secrets Manager, etc.).
- Restrict which hosts or IP ranges can access sensitive admin endpoints.
- Enable audit logs and monitor API key usage for anomalies (sudden spike, unusual endpoints).
- Use multi-factor authentication (MFA) for dashboard and key management access.
- Keep API keys on the server and never in client bundles.
- Rotate keys regularly and revoke compromised keys immediately.
- Use scoped & short-lived tokens where possible.
- Verify webhooks with HMAC signatures and timestamps.
- Store secrets in a dedicated secrets manager and enable audit logging.
Was this page helpful?
Your feedback helps us improve RunAsh docs.