API Key & Authentication
VaultSandbox uses a single API key to authenticate all client requests. This guide covers how the API key works, how it’s generated, and how to use it securely.
How It Works
Section titled “How It Works”The API key provides simple, secure authentication for all API requests:
┌─────────────────────────────────────────────────────────────┐│ API Key Authentication Flow │└─────────────────────────────────────────────────────────────┘
1. Client Request ┌─────────┐ ┌─────────────┐ │ Client │ ── POST /api/inboxes ──────→ │ Gateway │ │ │ Header: X-API-Key: abc123 │ │ └─────────┘ └─────────────┘
2. Gateway Validates Key ┌─────────────┐ │ Gateway │ │ │ │ ✓ Valid? └─────────────┘
3. Response ┌─────────┐ ┌─────────────┐ │ Client │ ←── 201 Created ──────────── │ Gateway │ │ │ { inbox data } │ │ └─────────┘ └─────────────┘What the API key controls:
- ✅ Create and manage inboxes
- ✅ Receive and read emails
- ✅ Delete inboxes and emails
- ✅ Subscribe to real-time notifications
What it cannot do:
- ❌ Send outbound emails (VaultSandbox is receive-only)
- ❌ Modify gateway configuration
Automatic Generation
Section titled “Automatic Generation”On first startup, VaultSandbox automatically generates a secure API key and saves it to the data directory.
Getting Your API Key
Section titled “Getting Your API Key”On first startup, an API key is automatically generated and saved to ${VSB_DATA_PATH}/.api-key
(default: /app/data/.api-key) inside the Docker volume.
Security Note: API keys are never logged to stdout/container logs. To retrieve your API key:
# Using Docker Composedocker compose exec gateway cat /app/data/.api-key; echo
# Using Docker CLIdocker exec vaultsandbox-gateway cat /app/data/.api-key; echo
# If using custom VSB_DATA_PATHdocker compose exec gateway cat $VSB_DATA_PATH/.api-keyThe startup logs will confirm the key was loaded:
[ConfigValidation] ✓ Local API key loaded from generated
For production deployments, explicitly set VSB_LOCAL_API_KEY in your environment or use
VSB_LOCAL_API_KEY_STRICT=true to require manual configuration.
Manual Generation
Section titled “Manual Generation”You can generate your own API key and configure VaultSandbox to use it. API keys must be at least 32 characters long.
Generate a Secure Key with OpenSSL
Section titled “Generate a Secure Key with OpenSSL”# Generate a random 32-character API keyopenssl rand -base64 32 | tr -d "=+/" | cut -c1-32Example output:
7kB9qF2mP5tX8nL3wR6vY1zA4cE0sJ7hConfigure the Gateway to Use Your Key
Section titled “Configure the Gateway to Use Your Key”Option 1: Using Environment Variable
Add to your docker-compose.yml:
services: gateway: environment: VSB_LOCAL_API_KEY: '7kB9qF2mP5tX8nL3wR6vY1zA4cE0sJ7h'Option 2: Using .env File
VSB_LOCAL_API_KEY=7kB9qF2mP5tX8nL3wR6vY1zA4cE0sJ7hThen reference in docker-compose.yml:
services: gateway: env_file: - .envUsing the API Key
Section titled “Using the API Key”Include the API key in the X-API-Key header for all requests.
cURL Example
Section titled “cURL Example”curl https://mail.example.com/api/inboxes \ -H "X-API-Key: 7kB9qF2mP5tX8nL3wR6vY1zA4cE0sJ7h"Using Environment Variables
Section titled “Using Environment Variables”Store your API key in environment variables:
VAULTSANDBOX_URL=https://mail.example.comVAULTSANDBOX_API_KEY=7kB9qF2mP5tX8nL3wR6vY1zA4cE0sJ7hThen use in your scripts:
curl $VAULTSANDBOX_URL/api/inboxes \ -H "X-API-Key: $VAULTSANDBOX_API_KEY"CI/CD Integration
Section titled “CI/CD Integration”GitHub Actions:
name: Email Testson: [push]
jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run email tests env: VAULTSANDBOX_API_KEY: ${{ secrets.VAULTSANDBOX_API_KEY }} run: npm testGitLab CI:
test: script: - npm test variables: VAULTSANDBOX_API_KEY: $VAULTSANDBOX_API_KEYStore API keys in CI/CD secrets, never in workflow files.
Security Best Practices
Section titled “Security Best Practices”Storing API Keys
Section titled “Storing API Keys”✅ DO:
- Store in environment variables
- Use secret management tools (AWS Secrets Manager, Vault, etc.)
- Use Docker secrets for production deployments
- Use password managers for manual storage
❌ DON’T:
- Hard-code in source code
- Commit to version control
- Share via email or chat
- Log API keys in plain text
Using API Keys
Section titled “Using API Keys”✅ DO:
- Always use HTTPS for requests
- Rotate keys periodically
- Use separate keys for different environments (dev, staging, prod)
- Monitor for unauthorized access
❌ DON’T:
- Reuse keys across environments
- Use keys in client-side JavaScript (browser)
- Transmit keys over unencrypted connections
Key Rotation
Section titled “Key Rotation”For enhanced security, rotate your API key periodically.
When to Rotate
Section titled “When to Rotate”- Development: As needed
- Staging: Every 90 days
- Production: Every 30-90 days
- Immediately: If key is compromised
How to Rotate
Section titled “How to Rotate”See the Docker Compose Deployment guide for detailed instructions on rotating your API key, including:
- Deleting and regenerating the key
- Managing permissions
Troubleshooting
Section titled “Troubleshooting”Invalid API Key
Section titled “Invalid API Key”Error: 401 Unauthorized: Invalid API key
Causes:
- API key is incorrect or malformed
X-API-Keyheader is missing or misspelled
Solutions:
- Verify the key matches what’s in the container:
Terminal window docker compose exec gateway cat /app/data/.api-key; echo - Check for extra whitespace or newlines in the key
- Ensure header is set:
X-API-Key: your-key(case-sensitive) - Test with cURL to isolate the issue:
Terminal window API_KEY=$(docker compose exec gateway cat /app/data/.api-key)curl -v https://mail.example.com/api/inboxes \-H "X-API-Key: $API_KEY"
Can’t Find API Key
Section titled “Can’t Find API Key”Problem: The API key file doesn’t exist
Solutions:
-
Check the logs:
Terminal window docker compose logs gateway | grep -i "api key" -
Verify data directory exists in container:
Terminal window docker compose exec gateway ls -la /app/data -
If file is missing, regenerate:
Terminal window docker compose downdocker volume rm vaultsandbox_gateway-data # Adjust volume name if neededdocker compose up -d# New key will be auto-generated
Next Steps
Section titled “Next Steps”- Docker Compose Setup - Deploy with Docker Compose and manage API keys
- Gateway Configuration - Configure gateway settings
- Security - Deep dive into security model
- Node.js Client Installation - Use the SDK for seamless API key handling