Skip to main content

​
Security Best Practices

Protect your Fincept account, API keys, and financial data with these security guidelines.

​
API Key Security

​
Never Expose Keys Publicly

Bad:
# config.py
API_KEY = "fk_user_Hy8kL2mN9pQ1..." #  NEVER DO THIS
Good:
# config.py
import os
API_KEY = os.getenv("FINCEPT_API_KEY") #  Use environment variables
Add to .gitignore:
.env
.env.local
config.json
secrets.*
*.key
Bad:
// app.js - Client-side code
const API_KEY = "fk_user_Hy8kL2mN9pQ1..."; //  Exposed to users!
Good:
// backend/server.js - Server-side only
const API_KEY = process.env.FINCEPT_API_KEY; //  Secure
Never expose API keys in client-side JavaScript, mobile apps, or browser code!
When sharing code snippets in GitHub issues, Stack Overflow, or Discord:Bad:
curl -H "X-API-Key: fk_user_abc123..." #  Real key visible
Good:
curl -H "X-API-Key: YOUR_API_KEY_HERE" #  Placeholder
Bad:
logger.info(f"Using API key: {API_KEY}") #  Logged
Good:
logger.info(f"Using API key: {API_KEY[:10]}***") #  Redacted

​
Store Securely

Linux/macOS (.bashrc or .zshrc):
export FINCEPT_API_KEY="fk_user_your_key"
Windows (System Environment):
setx FINCEPT_API_KEY "fk_user_your_key"
.env file (with python-dotenv):
FINCEPT_API_KEY=fk_user_your_key

from dotenv import load_dotenv
load_dotenv()

API_KEY = os.getenv("FINCEPT_API_KEY")

​
Password Security

​
Strong Password Requirements

​
Password Don’ts

  • Don’t use dictionary words
  • Don’t use personal information
  • Don’t reuse passwords from other sites
  • Don’t share with team members
  • Don’t write down on paper
  • Don’t email passwords

​
Password Manager

Use password managers to generate and store strong passwords:
  • 1Password - Enterprise-ready
  • Bitwarden - Open-source
  • LastPass - Popular choice
  • Dashlane - User-friendly

​
Account Security

​
Enable MFA

Always enable on production accounts: 
curl -X POST https://finceptbackend.share.zrok.io/user/mfa/enable \
  -H "X-API-Key: fk_user_your_key"
Learn more about MFA β†’

​
Monitor Login Activity

Check regularly for suspicious logins: 
curl https://finceptbackend.share.zrok.io/user/login-history \
  -H "X-API-Key: fk_user_your_key"
Look for:
  • 🚨 Unfamiliar IP addresses
  • 🚨 Unusual login times
  • 🚨 Failed login attempts
  • 🚨 Multiple failed MFA attempts

​
Rotate API Keys

Regenerate keys periodically:
Account TypeRecommended Rotation
DevelopmentEvery 180 days
ProductionEvery 90 days
EnterpriseEvery 30-60 days
CompromisedImmediately!

​
Network Security

​
HTTPS Only

Always use HTTPS, never HTTP: https://finceptbackend.share.zrok.io http://finceptbackend.share.zrok.io

​
Firewall Rules

Restrict outbound API calls to Fincept domain: 
# Allow only Fincept API
iptables -A OUTPUT -d finceptbackend.share.zrok.io -j ACCEPT

​
VPN/Private Networks

For sensitive operations:
  • Use VPN for remote access
  • Restrict API access to corporate networks
  • Implement IP whitelisting (enterprise feature)

​
Application Security

​
Validate Input

Never pass user input directly to API: Bad: 
# User can inject malicious values
user_input = request.get("strike")
api_call(strike=user_input) #  Dangerous
Good: 
# Validate and sanitize
try:
    strike = float(request.get("strike"))
    if strike <= 0 or strike > 1000000:
        raise ValueError("Invalid strike")
    api_call(strike=strike) #  Safe
except ValueError:
    return {"error": "Invalid input"}

​
Rate Limiting

Implement client-side rate limiting: 
from time import sleep
import requests

def rate_limited_call(endpoint, data):
    response = requests.post(endpoint, json=data, headers=headers)

    # Check rate limit headers
    remaining = int(response.headers.get("X-RateLimit-Remaining", 0))

    if remaining < 10:
        sleep(1) # Throttle requests

    return response.json()

​
Error Handling

Don’t expose sensitive errors to end users: Bad: 
try:
    result = fincept_api_call()
except Exception as e:
    return str(e) #  May expose API key or internal details
Good: 
try:
    result = fincept_api_call()
except Exception as e:
    logger.error(f"API error: {e}") # Log internally
    return {"error": "Operation failed"} #  Generic message

​
Team Security

​
Separate Keys per Environment

EnvironmentAccountKey
Development[email protected]fk_user_dev_key
Staging[email protected]fk_user_staging_key
Production[email protected]fk_user_prod_key

​
Access Control

  • πŸ” Limit key access to necessary team members
  • πŸ“ Document who has access to which keys
  • πŸ”„ Rotate when team members leave
  • πŸ“Š Audit key usage regularly

​
CI/CD Secrets

Use secret management in pipelines: GitHub Actions: 
- name: Run tests
  env:
    FINCEPT_API_KEY: ${{ secrets.FINCEPT_API_KEY }}
  run: pytest
GitLab CI: 
test:
  script:
    - export FINCEPT_API_KEY=$FINCEPT_API_KEY
    - pytest

​
Incident Response

​
If Key is Compromised

1

Regenerate Immediately

curl -X POST https://finceptbackend.share.zrok.io/user/regenerate-api-key \
  -H "X-API-Key: fk_user_old_key"
2

Check Login History

Look for unauthorized access
3

Review Usage

Check for unusual API calls
4

Update Applications

Deploy new key to all services
5

Enable MFA

Add extra protection
6

Contact Support

Report incident to [email protected]

​
If Account is Compromised

  1. Change password immediately
  2. Regenerate API key
  3. Review and cancel suspicious transactions
  4. Check login history for unauthorized access
  5. Enable MFA
  6. Contact [email protected]

​
Compliance

​
Data Protection

Fincept complies with:
  • GDPR (General Data Protection Regulation)
  • PCI DSS (Payment Card Industry standards)
  • SOC 2 Type II (in progress)
  • ISO 27001 (planned)

​
Your Responsibilities

When using Fincept API:
  • πŸ” Protect your API keys
  • πŸ“Š Secure data received from API
  • πŸ”’ Encrypt sensitive information
  • πŸ“ Comply with local regulations
  • 🚨 Report security incidents

​
Security Checklist

​
Reporting Security Issues

Found a security vulnerability? Contact: [email protected] Include:
  • Detailed description
  • Steps to reproduce
  • Potential impact
  • Your contact information
Do NOT:
  • Publicly disclose vulnerabilities
  • Test on production systems without permission
  • Share exploit code publicly
We’ll respond within 24 hours and credit researchers who report responsibly.

​
Next Steps

API Keys Guide

Learn key management best practices

MFA Setup

Enable multi-factor authentication

Error Handling

Handle errors securely

Rate Limits

Understand rate limiting