Authentication & Security
Secure your MeshBase integration with proper authentication, API key management, and security best practices.
API Keys
MeshBase uses API keys for authentication. There are two types:
πPublic API Key
Safe for frontend code
- β Read published content
- β Can be exposed in client-side code
- β Cannot create/update/delete content
- β Cannot access unpublished content
πAdmin API Key
Keep secret - server-side only
- β Full read/write access
- β Create/update/delete content
- β Access unpublished content
- β Never expose in frontend code
Never Commit API Keys to Git
Always use environment variables for API keys. Add .env to your .gitignore.
Environment Variables
Store API keys securely using environment variables.
Development
# .env.local (Next.js / Vite)
MESHBASE_API_URL=https://api.meshbase.io/v1
NEXT_PUBLIC_MESHBASE_PUBLIC_KEY=pub_abc123...
MESHBASE_ADMIN_KEY=admin_xyz789...β Public keys use NEXT_PUBLIC_ prefix (exposed to browser)
β Admin keys have NO prefix (server-only)
Production (Vercel/Netlify)
Add environment variables in your hosting platform's dashboard:
- Go to Project Settings β Environment Variables
- Add
MESHBASE_ADMIN_KEY(keep secret) - Add
NEXT_PUBLIC_MESHBASE_PUBLIC_KEY(safe to expose) - Redeploy your application
Authentication Patterns
Client-Side (Public Key)
// Safe for browser - reading published content
const response = await fetch(
'https://api.meshbase.io/v1/blog-posts',
{
headers: {
'Authorization': `Bearer ${process.env.NEXT_PUBLIC_MESHBASE_PUBLIC_KEY}`
}
}
);Server-Side (Admin Key)
// Server-only - creating/updating content
// Next.js API Route
export async function POST(request) {
const response = await fetch(
'https://api.meshbase.io/v1/blog-posts',
{
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.MESHBASE_ADMIN_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify(await request.json())
}
);
return Response.json(await response.json());
}Rate Limiting
MeshBase implements rate limiting to prevent abuse:
Default Limits
Public APIβ 100 requests/minute per IPAdmin APIβ 1000 requests/minute per key
Handle Rate Limit Errors
async function fetchWithRetry(url, options, retries = 3) {
for (let i = 0; i < retries; i++) {
const response = await fetch(url, options);
if (response.status === 429) {
// Rate limited - wait and retry
const retryAfter = response.headers.get('Retry-After') || 60;
await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
continue;
}
return response;
}
throw new Error('Max retries exceeded');
}CORS Configuration
Cross-Origin Resource Sharing is configured in your MeshBase project settings.
Default CORS Settings
- β Allows all origins in development
- β Production: whitelist your domains
- β Supports credentials (cookies)
Configure Allowed Origins
- Go to Project Settings β Security
- Add your domains to Allowed Origins
- Example:
https://yoursite.com - Save changes
Security Best Practices
- 1.Rotate API keys regularly
Change keys every 90 days or immediately if compromised
- 2.Use different keys per environment
Separate keys for dev, staging, and production
- 3.Never log API keys
Sanitize logs to prevent accidental key exposure
- 4.Implement request signing
For webhooks, verify signatures to ensure authenticity
- 5.Use HTTPS everywhere
Always use HTTPS for API calls and webhooks
- 6.Monitor API usage
Watch for unusual patterns that might indicate compromise
If Your Key is Compromised
If you suspect your API key has been exposed:
- Immediately revoke the compromised key in Project Settings
- Generate a new key and update your environment variables
- Review recent API activity for unauthorized access
- Audit your codebase to find where the key was exposed
- Redeploy your application with the new key
Act Fast
The faster you rotate keys after a compromise, the less damage can be done. MeshBase makes key rotation instantβno downtime required.