API Security

This guide covers how to securely interact with the CodePlanet API, manage your API keys, and follow best practices for safe data access.

Authentication

All authenticated API endpoints require a valid session cookie. The API uses Supabase Auth with cookie-based sessions.

Session-Based Authentication

When you log in via the web app, a secure httpOnly session cookie is set. API routes automatically read this cookie to identify you.

Cookie: sb-access-token=eyJhbG...; sb-refresh-token=abc123...

For server-to-server communication, use the API key system described below.

API Keys

For programmatic access, CodePlanet supports API keys:

1. Generate a key in Settings → API Keys
2. Include the key in your request headers:

curl -H "x-api-key: your_api_key_here" \
  https://acodeplanet.tech/api/v1/problems

Key Management

• Rotate keys regularly — generate new keys and revoke old ones periodically
• Never share keys — each key is tied to your account
• Revoke compromised keys immediately — go to Settings → API Keys → Revoke

Rate Limiting

All API endpoints are rate-limited to prevent abuse:

When you exceed the limit, the API returns:

{
  "success": false,
  "error": "Rate limit exceeded. Please try again later.",
  "retryAfter": 60
}

Headers returned:

• X-RateLimit-Limit: Your rate limit
• X-RateLimit-Remaining: Remaining requests
• X-RateLimit-Reset: Time when the limit resets (Unix timestamp)

Security Best Practices

For Frontend Applications

1. Never expose API keys in client-side code — use server-side proxying
2. Use HTTPS exclusively — all API requests must use https://
3. Validate responses — check success field before using data
4. Handle errors gracefully — don't expose raw error messages to users

For Backend Integrations

1. Store keys in environment variables — never hardcode in source code
2. Use the minimum scope needed — read-only keys for read-only operations
3. Implement retry logic — handle 429 (rate limit) with exponential backoff
4. Log API usage — monitor for unusual patterns

Example: Safe API Call

async function fetchProblems() {
  const apiKey = process.env.CODEPLANET_API_KEY;
 
  if (!apiKey) {
    throw new Error('API key not configured');
  }
 
  const response = await fetch('https://acodeplanet.tech/api/v1/problems', {
    headers: {
      'x-api-key': apiKey,
      'Content-Type': 'application/json',
    },
  });
 
  if (response.status === 429) {
    const retryAfter = response.headers.get('X-RateLimit-Reset');
    throw new Error(`Rate limited. Retry after ${retryAfter}`);
  }
 
  if (!response.ok) {
    throw new Error(`API error: ${response.status}`);
  }
 
  const data = await response.json();
  if (!data.success) {
    throw new Error(data.error || 'Unknown error');
  }
 
  return data.data;
}

Data Protection

What Data Is Public

These endpoints return data visible to anyone:

• Problem listings and details
• Public leaderboards
• Public user profiles (if enabled by the user)
• Course catalog and lesson content
• Certificate verification

What Data Is Private

These require authentication and only return your own data:

• Submission history
• Progress and statistics
• Notes and bookmarks
• Payment information
• Profile settings

Data Isolation

• You can only access your own private data — there is no way to access another user's private information through the API
• All write operations verify ownership server-side
• Admin endpoints require explicit admin role verification

Reporting Security Issues

If you discover a security vulnerability in the CodePlanet API:

1. Do not exploit or publicize the vulnerability
2. Email security@acodeplanet.tech with details
3. Include steps to reproduce
4. We will acknowledge receipt within 48 hours
5. We aim to fix critical issues within 7 days