Authentication and Security

For security reasons, the Wasabi Account Control API caller must use HTTPS, as any non-HTTPS calls will be redirected to HTTPS endpoints.

Authentication of Wasabi Account Control API calls will be through the Authorization HTTP header. The caller must use the secret API key provided by Wasabi as the Authorization header value.

The user of the Wasabi Account Control API must keep the API key safe and protected. It is only to be used in trusted server-to-server communications and MUST NOT be put in any untrusted environments (such as browser-side JavaScript) or otherwise exposed to users or personnel that are not authorized to use that key.

If the security of an API key has been breached, it is the Wasabi Control Account holder’s responsibility to immediately contact Wasabi and have the old API key invalidated and a new API key generated.

The Wasabi Account Control API key will support rolling-key management where two sets of API keys are supported for an overlapping time period. Callers into the API can use either keys when making calls into the API. This allows for the expiration of one key while the other key remains valid during a transition period.