The LabStats API is a powerful system that allows communication between LabStats and customer-owned secondary applications and tools. The ability to connect these separate systems is incredibly powerful and allows organizations to integrate data collected by LabStats into their own systems and processes to achieve new capabilities, automate processes, and more. All customers are required to read and understand these guidelines before utilizing the API.
LabStats has gone to great lengths to secure this API in physical, network, and software realms. As with all APIs, however, the responsibility of properly protecting organizational data extends equally to customers who use the API. Despite having built-in physical and technical safeguards, customers must follow best practices to prevent unauthorized data access from actions taken on their part.
Beyond security, additional best practices concerning the actual usage of the API exist to ensure that the API remains functional and does not negatively affect the availability of other LabStats services through excessive or improper use.
Protect API Keys Like Account Passwords
An API key should be properly protected to keep it secret.
- Do not share your key with anyone who does not have a legitimate need for it.
- Keep your key in a safe place while you are using it and destroy any paper copies when they are no longer needed.
- Do not email the key; most email is not adequately secured which means it could be compromised by a third party in transit or after receipt.
- When providing the key to individuals who will develop against the LabStats API, ensure that they understand the security implications of the key so they can protect it as well.
Grant API Keys the Least Possible Privileges
During API key creation you must choose exactly how much access to give the API key. Granting keys the least possible privilege ensures that the key is not used for a purpose other than its original intent and limits the effect if the key were ever compromised.
- Keys can be limited by IP address so that requests can only be made from approved computers or networks. If your case allows, utilize IP whitelisting and only authorize IP addresses that you require.
- Keys can be permitted to access different types of data, such as Station, Application, or User data. Grant only those that are required.
- Keys which are granted Station permissions can be further limited to a particular set of groups. If partial data is all that is required, specify just the required groups.
- Keys can be permitted to read data, write data, or both. Permit only the actions required.
Encrypt All Requests to the API
The LabStats API only accepts requests made over HTTPS using TLS (1.2 or higher) encryption. This is to protect your data during transport.
Although the API rejects any request not utilizing HTTPS, it is still possible for you to send unencrypted requests over HTTP. If an insecure request is ever made, even during testing, LabStats recommends that you revoke your key out of an abundance of caution.
Revoke Unneeded or Compromised API Keys
API keys which are no longer needed or may be compromised should be revoked. Revoke keys for the following scenarios:
- The key is no longer secret, or you suspect that it is no longer secret.
- An API request was made over HTTP and was thus sent unencrypted.
- A key was sent via email.
- An employee, contractor, or other individuals who had access to the key no longer works for the organization or is no longer in good standing.
API Requests Are Cached
To ensure a high level of service to all users, requests to the LabStats API are cached for a short duration. The duration of the cache varies by endpoint and can be found in the API documentation. Caching previously calculated data sets allows LabStats to maintain optimal system performance and availability. It is important to understand that, due to caching, changes made in real-time may take a short time before being reflected in the API.
API Requests Are Rate Limited
Again, to ensure a high level of service to all users and to prevent abuse, each API endpoint is individually rate limited. Rate limiting allows LabStats to maintain optimal system performance and availability and encourages proper design in applications which interact with the API. Requests beyond the approved amount will be rejected until a period of time has expired.
Follow these guidelines to ensure your use of the API is not excessive or wasteful:
- Only request data from the API that you actually need.
- Store results for reuse rather than making duplicate requests later.
- If you are requesting the same data continuously for the purpose of getting real-time updates, make sure your request interval isn’t unnecessarily short (for many scenarios, data that refreshes hourly would still be considered real-time and would be much less taxing on the API than requests every ten seconds).