Security Best Practices
Protect your Stake.com account and API tokens with these essential security practices.
π‘ Don't have a Stake.com account yet? Sign up here to get started and unlock all API features.
Token Security
Your access token provides full access to your Stake.com account. Treat it like a password.
Doβs and Donβts
| β Do | β Donβt |
|---|---|
| Store tokens in environment variables | Hardcode tokens in source code |
Use .env files (locally only) | Commit .env to version control |
| Rotate tokens regularly | Share tokens with others |
| Use minimal-scope tokens | Log tokens to console/files |
| Encrypt stored tokens | Send tokens over insecure channels |
Environment Variables
import os
# β
GOOD β from environment
token = os.getenv("STAKE_ACCESS_TOKEN")
# β BAD β hardcoded
token = "2775b505cccaee723e5c705..."
.gitignore Configuration
Always exclude sensitive files:
# Secrets
.env
*.env
.env.local
.env.production
config.py
secrets.py
credentials.json
# IDE
.idea/
.vscode/settings.json
Secure Token Storage
Using python-dotenv
from dotenv import load_dotenv
import os
load_dotenv() # Loads from .env file
token = os.getenv("STAKE_ACCESS_TOKEN")
if not token:
raise ValueError("STAKE_ACCESS_TOKEN not set")
Using keyring (System Keychain)
For maximum security, store tokens in the OS keychain:
import keyring
# Store (do once)
keyring.set_password("stakeapi", "access_token", "your_token_here")
# Retrieve
token = keyring.get_password("stakeapi", "access_token")
Network Security
HTTPS Only
StakeAPI always communicates over HTTPS. Never change the base URL to HTTP:
# β
GOOD β HTTPS (default)
client = StakeAPI(access_token=token, base_url="https://stake.com")
# β BAD β Never use HTTP
client = StakeAPI(access_token=token, base_url="http://stake.com")
Request Timeouts
Always set timeouts to prevent hanging connections:
# 30-second timeout (default)
client = StakeAPI(access_token=token, timeout=30)
# Shorter timeout for critical applications
client = StakeAPI(access_token=token, timeout=10)
Session Management
Close Sessions Properly
Always use the context manager to ensure sessions are closed:
# β
GOOD β Context manager handles cleanup
async with StakeAPI(access_token=token) as client:
balance = await client.get_user_balance()
# β
GOOD β Manual cleanup
client = StakeAPI(access_token=token)
try:
await client._create_session()
balance = await client.get_user_balance()
finally:
await client.close()
Token Expiration Handling
from stakeapi.auth import AuthManager
auth = AuthManager(access_token=token)
auth.set_access_token(token, expires_in=3600)
# Check before making requests
if auth.is_token_expired():
print("Token expired β get a new one")
auth.clear_tokens() # Clean up expired tokens from memory
Input Validation
Use the built-in validation utilities:
from stakeapi.utils import validate_api_key, validate_bet_amount
from decimal import Decimal
# Validate API key format
if not validate_api_key(token):
raise ValueError("Invalid API key format")
# Validate bet amounts
if not validate_bet_amount(
amount=Decimal("0.001"),
min_bet=Decimal("0.0001"),
max_bet=Decimal("1.0")
):
raise ValueError("Bet amount out of range")
Logging Security
Never log sensitive data:
import logging
logger = logging.getLogger("stakeapi")
# β
GOOD β mask the token
logger.info(f"Using token: {token[:8]}...{token[-4:]}")
# β BAD β full token in logs
logger.info(f"Using token: {token}")
Security Checklist
- Access tokens stored in environment variables
.envfile added to.gitignore- Tokens rotated regularly
- HTTPS used for all connections
- Timeouts configured
- Sessions properly closed
- No tokens in log output
- Input validation on all user-supplied data
- Error messages donβt leak sensitive info
π¬ Join the StakeAPI Community on Discord
Get help, share your projects, discuss strategies, and stay up to date with the latest StakeAPI news.
Join Our Discord Server βSecurity starts with a properly configured account. Sign up on Stake.com and enable 2FA for maximum account security.