Secure API Usage

Follow these best practices to keep your data safe.

Keep API Keys Secret

Store keys in environment variables
Never commit keys to version control
Never include keys in client-side JavaScript

# .env
CUBESTACK_API_KEY=your-api-key

Use Public Access for Frontends

For browser-based applications, enable public access on your cubes and only mark safe columns as public:

// No API key needed — only public columns returned
const response = await fetch('https://api.cubestack.app/api/v1/my-project/products');

Server-Side Only for Write Operations

All write operations (create, update, delete) require an API key. Perform these operations from your server:

// Server-side only
await fetch('https://api.cubestack.app/api/v1/my-project/products', {
  method: 'POST',
  headers: {
    'X-Api-Key': process.env.CUBESTACK_API_KEY,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ title: 'New Product' })
});

Rotate Keys Regularly

If you suspect a key has been compromised, rotate it immediately in the admin panel under Settings > API Keys.

CORS

CubeStack sets appropriate CORS headers for public endpoints. If you need custom CORS configuration, contact support.

Guides

​Secure API Usage

​Keep API Keys Secret

​Use Public Access for Frontends

​Server-Side Only for Write Operations

​Rotate Keys Regularly

​CORS