API security rests not on a single measure but on layers. The VDS Host Reseller API offers three core layers.

1. HMAC signature

Each request is signed with your secret key. The secret is never sent over the network; only the signature is transmitted. This makes it harder for the key to be compromised.

2. IP whitelist

Your key only accepts calls from the IP addresses you define in the panel. Even if a key leaks, it cannot be used from a different IP.

3. Timestamp and replay protection

Thanks to the timestamp included in the signature, a captured request cannot be replayed later. All calls are tracked in the reseller_api_logs table.

Best practices

Rotate keys regularly, use separate keys for production and testing, and keep the whitelist as narrow as possible.