Your API Credentials
At onboarding, EasyCred issues you two values. Both are shown exactly once and cannot be retrieved later — store them immediately in your secret manager.Credential Reference
apiKey
Format:
ec_live_… (production) or ec_test_… (sandbox)Sent in the x-api-key header on every request.signingSecret
Format: 48-character hex stringUsed locally to compute the request HMAC-SHA256 signature. Never sent over the wire.
Key Formats
| Key Type | Prefix | Environment |
|---|---|---|
| Production | ec_live_ | Live customers and real data |
| Sandbox | ec_test_ | Testing and integration validation |
Security Best Practices
Use a Secret Manager
Use a Secret Manager
Store both
apiKey and signingSecret in a secrets management system (e.g. AWS Secrets Manager, HashiCorp Vault, or your cloud provider’s equivalent). Never hardcode them in source files.Restrict Key Permissions
Restrict Key Permissions
Only grant access to your credentials to services and team members that strictly need them. Apply the principle of least privilege.
Safe Debugging
Safe Debugging
When logging request metadata for debugging, log only the first 8 characters of the
apiKey (e.g. ec_live_a1b2c3d4). Never log the full key or the signingSecret.Rotate on Compromise
Rotate on Compromise
If you suspect your credentials have been exposed, contact your EasyCred onboarding manager immediately to rotate your key.
Usage in Requests
YourapiKey goes in the x-api-key header on every API call:
signingSecret is used only on your server to compute the x-signature header. See Authentication for the full signing process.
The
signingSecret is never transmitted over the network — it stays entirely within your backend infrastructure.