Documentation Index

Fetch the complete documentation index at: https://docs.fincept.in/llms.txt

Use this file to discover all available pages before exploring further.

​

Security Best Practices

​

API Key Security

​

Never Expose Keys Publicly

# config.py
API_KEY = "fk_user_Hy8kL2mN9pQ1..." #  NEVER DO THIS

# config.py
import os
API_KEY = os.getenv("FINCEPT_API_KEY") #  Use environment variables

.env
.env.local
config.json
secrets.*
*.key

// app.js - Client-side code
const API_KEY = "fk_user_Hy8kL2mN9pQ1..."; //  Exposed to users!

// backend/server.js - Server-side only
const API_KEY = process.env.FINCEPT_API_KEY; //  Secure

curl -H "X-API-Key: fk_user_abc123..." #  Real key visible

curl -H "X-API-Key: YOUR_API_KEY_HERE" #  Placeholder

logger.info(f"Using API key: {API_KEY}") #  Logged

logger.info(f"Using API key: {API_KEY[:10]}***") #  Redacted

​

Store Securely

export FINCEPT_API_KEY="fk_user_your_key"

setx FINCEPT_API_KEY "fk_user_your_key"

FINCEPT_API_KEY=fk_user_your_key

from dotenv import load_dotenv
load_dotenv()

API_KEY = os.getenv("FINCEPT_API_KEY")

import boto3

client = boto3.client('secretsmanager')
secret = client.get_secret_value(SecretId='fincept/api-key')
API_KEY = secret['SecretString']

import hvac

client = hvac.Client(url='https://vault.company.com')
secret = client.secrets.kv.v2.read_secret_version(path='fincept/api-key')
API_KEY = secret['data']['data']['key']

from azure.keyvault.secrets import SecretClient

client = SecretClient(vault_url="https://myvault.vault.azure.net", credential=credential)
API_KEY = client.get_secret("fincept-api-key").value

{
  "fincept_api_key": "fk_user_your_key"
}

config.json
config.*.json
secrets.json

import json

with open('config.json') as f:
    config = json.load(f)
API_KEY = config['fincept_api_key']

​

Password Security

​

Strong Password Requirements

​

Password Don’ts

• Don’t use dictionary words
• Don’t use personal information
• Don’t reuse passwords from other sites
• Don’t share with team members
• Don’t write down on paper
• Don’t email passwords

​

Password Manager

• 1Password - Enterprise-ready
• Bitwarden - Open-source
• LastPass - Popular choice
• Dashlane - User-friendly

​

Account Security

​

Enable MFA

curl -X POST https://api.fincept.in/user/mfa/enable \
  -H "X-API-Key: fk_user_your_key"

​

Monitor Login Activity

curl https://api.fincept.in/user/login-history \
  -H "X-API-Key: fk_user_your_key"

• 🚨 Unfamiliar IP addresses
• 🚨 Unusual login times
• 🚨 Failed login attempts
• 🚨 Multiple failed MFA attempts

​

Rotate API Keys

​

Network Security

​

HTTPS Only

​

Firewall Rules

# Allow only Fincept API
iptables -A OUTPUT -d api.fincept.in -j ACCEPT

​

VPN/Private Networks

• Use VPN for remote access
• Restrict API access to corporate networks
• Implement IP whitelisting (enterprise feature)

​

Application Security

​

Validate Input

# User can inject malicious values
user_input = request.get("strike")
api_call(strike=user_input) #  Dangerous

# Validate and sanitize
try:
    strike = float(request.get("strike"))
    if strike <= 0 or strike > 1000000:
        raise ValueError("Invalid strike")
    api_call(strike=strike) #  Safe
except ValueError:
    return {"error": "Invalid input"}

​

Rate Limiting

from time import sleep
import requests

def rate_limited_call(endpoint, data):
    response = requests.post(endpoint, json=data, headers=headers)

    # Check rate limit headers
    remaining = int(response.headers.get("X-RateLimit-Remaining", 0))

    if remaining < 10:
        sleep(1) # Throttle requests

    return response.json()

​

Error Handling

try:
    result = fincept_api_call()
except Exception as e:
    return str(e) #  May expose API key or internal details

try:
    result = fincept_api_call()
except Exception as e:
    logger.error(f"API error: {e}") # Log internally
    return {"error": "Operation failed"} #  Generic message

​

Team Security

​

Separate Keys per Environment

​

Access Control

• 🔐 Limit key access to necessary team members
• 📝 Document who has access to which keys
• 🔄 Rotate when team members leave
• 📊 Audit key usage regularly

​

CI/CD Secrets

- name: Run tests
  env:
    FINCEPT_API_KEY: ${{ secrets.FINCEPT_API_KEY }}
  run: pytest

test:
  script:
    - export FINCEPT_API_KEY=$FINCEPT_API_KEY
    - pytest

​

Incident Response

​

If Key is Compromised

curl -X POST https://api.fincept.in/user/regenerate-api-key \
  -H "X-API-Key: fk_user_old_key"

​

If Account is Compromised

1. Change password immediately
2. Regenerate API key
3. Review and cancel suspicious transactions
4. Check login history for unauthorized access
5. Enable MFA
6. Contact support@fincept.in

​

Compliance

​

Data Protection

• GDPR (General Data Protection Regulation)
• PCI DSS (Payment Card Industry standards)
• SOC 2 Type II (in progress)
• ISO 27001 (planned)

​

Your Responsibilities

• 🔐 Protect your API keys
• 📊 Secure data received from API
• 🔒 Encrypt sensitive information
• 📝 Comply with local regulations
• 🚨 Report security incidents

​

Security Checklist

​

Reporting Security Issues

• Detailed description
• Steps to reproduce
• Potential impact
• Your contact information

• Publicly disclose vulnerabilities
• Test on production systems without permission
• Share exploit code publicly

​

Next Steps