✅ Security Features Implemented
1. RapidAPI Authentication
- X-RapidAPI-Proxy-Secret validation - All authenticated requests verified
- Subscription tier enforcement - Users can only access vibes allowed by their plan
- API key rotation support - Generate new keys anytime from RapidAPI dashboard
- Rate limiting - Throttling handled by RapidAPI based on subscription tier
2. Tier-Based Access Control
- Basic Tier: 3 vibes (Stoic, Hype, Roast)
- Pro Tier: 6 vibes (Basic + Zen, Savage, Scholar)
- Premium Tier: All 9 vibes (Pro + Cosmic, Therapist, Drill Sergeant)
- 403 Forbidden: Automatic rejection when users request unauthorized vibes
- Dynamic upgrade messaging: Clear instructions on which tier is needed
3. Lambda Security
- Timeout: 30 seconds (prevents runaway execution)
- Memory limit: 512MB (controlled resource usage)
- IAM role: Least-privilege principle (only SSM Parameter and CloudWatch access)
- ARM64 architecture: Modern, efficient runtime
- No public access: Only accessible via API Gateway
4. CloudWatch Monitoring
- Structured logging: All requests logged with watchtower integration
- Log group: vibe-affirmations (7-day retention)
- Error tracking: Automatic CloudWatch Insights queries
- Metrics: Request count, error rate, tier violations tracked
- Alarms: High errors (>50 in 5 min), slow responses (>3s p99)
5. Demo Endpoint Rate Limiting
- 100 requests/day per IP - Prevents abuse of unauthenticated endpoints
- 10 requests/minute burst limit - Stops rapid scraping
- Demo endpoints only: /demo/affirmation and /demo/vibes
- No authentication bypass: Demo endpoints return sample data only
6. API Gateway Protection
- HTTPS only: All traffic encrypted in transit
- CORS enabled: Configurable origin restrictions
- No API keys stored: RapidAPI manages authentication
- Regional deployment: ap-southeast-2 (Sydney) for optimal latency
🔒 RapidAPI Configuration
Header Validation
Every authenticated request must include:
X-RapidAPI-Key: your_api_key_here
X-RapidAPI-Host: vibe-affirmations.p.rapidapi.com
X-RapidAPI-Subscription: BASIC | PRO | PREMIUM
The Lambda function validates the X-RapidAPI-Proxy-Secret header (internal) to ensure requests originate from RapidAPI's proxy layer.
SSM Parameter Store
The RapidAPI secret is stored securely in AWS Systems Manager Parameter Store:
- Parameter: /vibe-affirmations/rapidapi-secret
- Type: SecureString (encrypted at rest)
- Version: 3 (rotation history tracked)
- Access: Lambda IAM role only
⚠️ Important: Direct calls to the AWS Lambda endpoint without the RapidAPI proxy secret will be rejected with 403 Forbidden.
🛡️ Data Privacy & Protection
Zero Data Retention
- No user data stored: Affirmation requests processed in-memory only
- Ephemeral processing: All data discarded after response
- No request logging of sensitive data: Only metadata logged (vibe, tier, status)
- CloudWatch logs: Auto-deleted after 7 days
BYOK Model (Live AI Endpoint)
For custom AI-generated affirmations, users must provide their own OpenAI API key:
- You control costs: OpenAI charges billed directly to your account
- We never see your key: Passed in request header, never stored
- Topic data: Custom topics sent to OpenAI (review OpenAI privacy policy)
- No markup: We don't charge for AI generation, only API access
Privacy Best Practice: The BYOK model means your custom affirmation topics are processed directly by OpenAI's API. ApiaryLabs never stores or logs your topics or generated content.
GDPR Compliance
- No personal data collected: API is stateless and anonymous
- IP addresses: Used only for demo rate limiting (not logged long-term)
- Right to be forgotten: N/A (no data retained)
- Data portability: N/A (no user data stored)
- Lawful basis: Legitimate interest (API service delivery)
🔐 Best Practices for Developers
1. Protect Your API Keys
⚠️ Never expose API keys in:
- Frontend JavaScript code (client-side)
- Git repositories or version control
- Public documentation or screenshots
- Mobile app binaries (reverse-engineerable)
- Error messages or logs
2. Use Backend Proxies
For web and mobile apps, proxy API calls through your backend:
// ✅ Good: Backend proxy
// Frontend → Your Server → Vibe API
fetch('/api/affirmation?vibe=hype')
// ❌ Bad: Direct frontend call
fetch('https://vibe-affirmations.p.rapidapi.com/...', {
headers: { 'X-RapidAPI-Key': 'exposed_key' } // 🚨 Don't do this!
})
3. Environment Variables
# .env file (never commit to Git)
RAPIDAPI_KEY=your_key_here
RAPIDAPI_HOST=vibe-affirmations.p.rapidapi.com
# .gitignore
.env
.env.local
.env.*.local
4. Rotate Keys Regularly
- Schedule: Every 90 days minimum
- Process: Generate new key in RapidAPI dashboard, update environment variables, revoke old key
- Incidents: Rotate immediately if key is compromised
5. Monitor Usage
- Set up alerts: Unusual spikes in request volume
- Check analytics: RapidAPI dashboard shows request patterns
- Review quotas: Ensure you're not hitting rate limits
- Track errors: 401/403 errors may indicate configuration issues
🚨 Security Incident Response
If You Suspect Key Compromise:
- Revoke immediately: Go to RapidAPI dashboard → API Keys → Delete
- Generate new key: Create replacement key
- Update applications: Deploy new key to all environments
- Check logs: Review RapidAPI analytics for suspicious activity
- Contact support: Email [email protected] if abuse detected
Report Security Issues
Found a security vulnerability? Contact us:
- Email: [email protected]
- Response time: 24-48 hours
- Responsible disclosure: We'll work with you to fix issues before public disclosure
🔍 Monitoring & Alerts
CloudWatch Alarms (AWS Side)
| Alarm |
Threshold |
Action |
| High Error Rate |
>50 errors in 5 minutes |
SNS notification to ops team |
| Slow Responses |
P99 latency >3 seconds |
Investigate performance issues |
| Tier Violations |
>10 in 5 minutes |
Check for subscription misconfigurations |
RapidAPI Analytics (Your Side)
Monitor your API usage in the RapidAPI dashboard:
- Request volume: Daily/monthly request counts
- Error rates: 4xx and 5xx responses
- Latency: Response time distribution
- Endpoint usage: Which endpoints are most popular
- Geographic distribution: Where requests originate
📜 Compliance & Certifications
Infrastructure Compliance
- AWS SOC 2: Lambda and API Gateway are SOC 2 compliant
- GDPR: No personal data stored or processed
- HTTPS/TLS 1.2+: All traffic encrypted in transit
- Encryption at rest: SSM Parameter Store uses AWS KMS
Third-Party Dependencies
- OpenAI API: Used only when users provide their own keys (BYOK)
- RapidAPI: Authentication and billing infrastructure
- AWS: Compute, storage, and networking infrastructure
Audit Trail: All API access is logged (metadata only) and retained for 7 days in CloudWatch. Full audit logs available upon request for Enterprise customers.
💡 Security FAQ
Q: Can I use the API from frontend JavaScript?
A: Demo endpoints are safe for frontend use (no auth required). For authenticated endpoints, use a backend proxy to protect your API key.
Q: What happens if my API key is leaked?
A: Revoke the key immediately in RapidAPI dashboard. Generate a new one and update your applications. Check analytics for unauthorized usage.
Q: How long are CloudWatch logs retained?
A: 7 days by default. Enterprise customers can request extended retention.
Q: Does the API store my custom affirmation topics?
A: No. Topics sent to the live AI endpoint are processed by OpenAI and immediately discarded. We don't log or store custom topics.
Q: Is the demo endpoint rate-limited?
A: Yes. 100 requests/day per IP address (10 requests/minute burst limit).
Q: Can I whitelist IP addresses?
A: Enterprise customers can request IP whitelisting. Contact [email protected].