API Key Security & Netmera Safeguards
Most issues come from REST API keys being exposed or panel accounts being accessed by the wrong person. The impact is highest when a key can trigger messaging actions. This page explains how Netmera keys work and how to lock them down.
API Key Architecture (SDK vs. REST)
Netmera uses a split model. SDK keys and REST API keys have different scopes and use cases.
SDK key (client-side)
Used by the Netmera SDK in your apps.
Expected to be present in the application bundle.
Do not rely on it for privileged operations.
REST API key (server-side)
Used for server-to-server integrations.
Not required for any in-app use case.
Don’t embed it in a mobile app or web frontend.
If a REST API key is shipped in a client app, it can be extracted. Reduce the blast radius with REST API IP whitelisting.
Key Generation & Storage Model
Keys are generated when a specific panel user requests them for a specific app.
Keys are not stored in plaintext. Access is controlled by panel authorization.
Different users of the same app may see different keys. This does not change permissions. It helps you trace an exposed key back to a panel account.
REST API IP Restriction (Whitelist)
Restrict REST API usage with an IP whitelist. This blocks requests from unknown networks, even if a valid key leaks.
Use a small set of stable outbound IPs. Example: your API gateway, VPN egress, or a dedicated NAT.
Panel Access & Security Options
API keys are accessible only through the Netmera panel. Lock panel access down first.
Email/SMS OTP: Users must enter a one-time password to access the panel/app. (For more details on authentication, see Control Panel )
IP-Restricted User Login: Allows access only from approved IP ranges (e.g., a company VPN/network).
Domain-Restricted User Login: Limits panel user creation and access to specific email domains, ensuring only users from approved domains can access the app.
Additional Panel Authorization Controls:
Role-Based Access Control: API key visibility can be restricted by panel roles.
Approval Mechanism (Approver): Message sending can be configured to require approval. Messages are not sent unless an authorized approver confirms the action.
For roles and approval flows, see Roles and Permissions.
Recommended Setup
Keep REST API keys server-side only
Do not ship REST keys in mobile apps. Do not use them in browser JavaScript.
Enable REST API IP whitelisting
Allow only your backend outbound IPs.
Enforce stronger panel authentication
Enable Email/SMS OTP in General Settings.
Reduce who can view keys
Use roles to limit API key visibility. Keep “admin” access rare.
Require approvals for message sending (optional)
Turn on Approver if you have multiple operators.
Last updated
Was this helpful?