API Key Security
Your SnapAPI key grants access to your screenshot quota. Treat it like a password — protect it from exposure, rotate it regularly, and never hardcode it in source code.
Environment Variables
Store your API key in environment variables, never in code:
# .env file (never commit to git!)
SNAPAPI_KEY=snap_abc123def456
# Node.js
const API_KEY = process.env.SNAPAPI_KEY;
# Python
import os
api_key = os.environ['SNAPAPI_KEY']Server-Side Only
Never expose your API key in client-side code. If you need screenshots from the browser, create a server-side proxy endpoint:
// Server-side proxy
app.get('/api/preview', async (req, res) => {
const { url } = req.query;
const ssRes = await fetch(
`https://apisnap.dev/api/screenshot?url=${encodeURIComponent(url)}`,
{ headers: { Authorization: `Bearer ${process.env.SNAPAPI_KEY}` } }
);
res.set('Content-Type', 'image/png');
res.send(Buffer.from(await ssRes.arrayBuffer()));
});Key Rotation
Rotate API keys periodically, especially after team member departures. Generate a new key in your dashboard, update your environment variables, then deactivate the old key.
Monitoring Usage
Check the X-Usage-Remaining response header after each request. Unexpected drops in remaining quota may indicate unauthorized usage. Set up alerts when usage exceeds expected patterns.