Storing credentials securely

DomainTools API keys authenticate every request and are tied to your account.

Examples on this site use placeholders like YOUR_API_KEY or shell variables like $DOMAINTOOLS_API_KEY. Both are illustrative, not recommendations. Each common storage method has its own exposure paths and trade-offs.

Before storing in plaintext, check with your team

Plaintext credentials in shared locations — Git, chat, wikis, email, client-side code — are out of bounds under most security policies. Don't store there without explicit sign-off from your security or platform team.

How you store, distribute, and audit API keys is a decision for your security or platform team, driven by your existing identity, secrets, and compliance tooling. Treat the examples here as starting points and apply the secret-management practices your environment already uses.

For background, see OWASP Application Security Verification Standard and NIST SP 800-57, and the documentation for whichever secret manager or vault you operate.

What DomainTools owns

Key lifecycle paths differ by product:

• Iris, Lookups and Monitors, Threat Feeds. Your group's API administrator manages and rotates keys at https://research.domaintools.com under Account → API Admin. Only the API owner can reset the key.
• MCP Server. Rotate at your account dashboard.
• Farsight DNSDB and Farsight SIE. Keys are provisioned and rotated by DomainTools Enterprise Support at enterprisesupport@domaintools.com.