Skip to main content

Your API Credentials

At onboarding, EasyCred issues you two values. Both are shown exactly once and cannot be retrieved later — store them immediately in your secret manager.
Never commit, log, or share either value in plaintext. When debugging, log only the 8-character key prefix.

Credential Reference

apiKey

Format: ec_live_… (production) or ec_test_… (sandbox)Sent in the x-api-key header on every request.

signingSecret

Format: 48-character hex stringUsed locally to compute the request HMAC-SHA256 signature. Never sent over the wire.

Key Formats

Key TypePrefixEnvironment
Productionec_live_Live customers and real data
Sandboxec_test_Testing and integration validation

Security Best Practices

Store both apiKey and signingSecret in a secrets management system (e.g. AWS Secrets Manager, HashiCorp Vault, or your cloud provider’s equivalent). Never hardcode them in source files.
Only grant access to your credentials to services and team members that strictly need them. Apply the principle of least privilege.
When logging request metadata for debugging, log only the first 8 characters of the apiKey (e.g. ec_live_a1b2c3d4). Never log the full key or the signingSecret.
If you suspect your credentials have been exposed, contact your EasyCred onboarding manager immediately to rotate your key.

Usage in Requests

Your apiKey goes in the x-api-key header on every API call:
x-api-key: ec_live_a1b2c3d4_<rest-of-key>
Your signingSecret is used only on your server to compute the x-signature header. See Authentication for the full signing process.
The signingSecret is never transmitted over the network — it stays entirely within your backend infrastructure.