AximCode Blog

← Back to blog

API Authentication Best Practices

January 20, 2026 · AximCode Team

Understanding API Authentication

API authentication is how you prove your identity when making API requests. There are several common methods, each with different use cases and security considerations.

API Keys vs Bearer Tokens

API Keys

API keys are simple, long-lived credentials typically used for server-to-server communication.

// Using an API key
fetch('https://apis.aximcode.com/v1/core/users', {
  headers: {
    'X-API-Key': 'axim_live_aBcDeFgHiJkLmNoP'
  }
});

When to use: Backend services, scripts, CI/CD pipelines, trusted environments.

Bearer Tokens (JWT)

Bearer tokens are short-lived credentials typically issued after user login.

// Using a bearer token
fetch('https://api.example.com/profile', {
  headers: {
    'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIs...'
  }
});

When to use: User-facing applications, mobile apps, SPAs.

API Key Security

Follow these best practices to keep your API keys secure:

Never Expose Keys in Frontend Code

// BAD: Key exposed in browser
const API_KEY = 'axim_live_aBcDeFgHiJkLmNoP';
fetch('/api/data', { headers: { 'X-API-Key': API_KEY } });

// GOOD: Call through your backend
fetch('/api/proxy/data'); // Your backend adds the key

Use Environment Variables

# .env (never commit this file!)
AXIMCODE_API_KEY=axim_live_aBcDeFgHiJkLmNoP

// Your code
const apiKey = process.env.AXIMCODE_API_KEY;

Rotate Keys Regularly

Generate new API keys periodically and update your applications. This limits the damage if a key is compromised.

Understanding Rate Limiting

Rate limiting protects APIs from abuse and ensures fair usage. AximCode's rate limit headers tell you your current status:

// Response headers
X-RateLimit-Limit: 10000      // Monthly limit
X-RateLimit-Remaining: 9543   // Requests left
X-RateLimit-Reset: 1706745600 // Unix timestamp when limit resets

Handling Rate Limits Gracefully

async function fetchWithRetry(url, options, retries = 3) {
  const response = await fetch(url, options);

  if (response.status === 429 && retries > 0) {
    const retryAfter = response.headers.get('Retry-After') || 60;
    await new Promise(r => setTimeout(r, retryAfter * 1000));
    return fetchWithRetry(url, options, retries - 1);
  }

  return response;
}

Scoping API Keys

Create separate API keys for different purposes:

  • Development: Use during local development
  • Staging: For pre-production testing
  • Production: For live applications
  • CI/CD: For automated testing pipelines

This way, if one key is compromised, you only need to rotate that specific key.

Anonymous Access

AximCode APIs support anonymous access with IP-based rate limiting (100 requests/hour). This is great for:

  • Quick prototyping
  • Trying out the API
  • Public demos

For production use, always use authenticated requests with an API key for higher rate limits and data persistence.

Summary

  • Use API keys for server-side code, bearer tokens for user sessions
  • Never expose API keys in frontend code
  • Store keys in environment variables
  • Handle rate limits with retry logic
  • Create separate keys for different environments