Best practices
Recommendations for integrating securely and reliably with the API.
Key security
- Never expose the Secret in the frontend, in public repos, or in logs. Use it only on the server or in secure environments.
- Rotate keys periodically and when switching environments (e.g. development → production).
- Use different keys per environment and per application so you can revoke one without affecting others.
- If the Secret is leaked, revoke the key immediately in Settings > Integrations and create a new one.
Using the endpoint
- Use the production endpoint (
https://api.abaco.hn) only in production. In development, use the URL provided by your team. - Do not hardcode the URL; use environment variables or environment-specific config.
- Always send the
Authorization(orX-API-Key) header on every request; there is no cookie-based session for key-based API access.
Requests and performance
- Implement retries with backoff on 5xx errors or timeouts, without overwhelming the server.
- Use pagination on list endpoints (parameters exposed by the API) instead of loading all records.
- Cache data that changes infrequently (e.g. price lists or catalogs) according to your app’s needs, while keeping consistency where required.
Validation and errors
- Validate data before sending and always handle error status codes (4xx, 5xx) in your application.
- Read the body of error responses; they often include messages or per-field details to fix the request.
- Log errors (without including the Secret) for debugging and support.
Summary
| Practice | Recommendation |
|---|---|
| Secret | Server-side only; never in frontend or logs |
| Keys | One per environment/app; rotate and revoke on leak |
| Endpoint | Configurable; production URL only in production |
| Errors | Retry with backoff; read error body |
| Lists | Paginate; cache when it makes sense |
For more on authentication and credentials, see Authentication and Endpoint and key extraction.