Security Best Practices
This guide covers security best practices for configuring your Carabaas organization, managing API access, and implementing duty segregation.
API Key Security
Key Generation
Generate RSA-4096 keys for maximum security:
openssl genrsa -out private_key.pem 4096
openssl rsa -in private_key.pem -pubout -out public_key.pem
Key Storage
| Environment | Recommended Storage |
|---|---|
| Production | HSM (Hardware Security Module) or cloud KMS |
| Staging | Secret manager (AWS Secrets Manager, Vault) |
| Development | Encrypted local file |
Key Rotation
- Generate a new RSA key pair
- Register the new public key via the API
- Update your application to use the new private key
- Verify the new key works
- Block the old key
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----",
"name": "Production API Key v2"
}' \
https://api.carabaas.com/api/v1/organizations/keys
curl -X PATCH -H "Authorization: Bearer $TOKEN" \
https://api.carabaas.com/api/v1/organizations/keys/{oldKeyId}/block
JWT Token Lifetime
Set exp according to your security policy:
| Use Case | Recommended Lifetime |
|---|---|
| Per-request tokens | 30 seconds |
| Session tokens | 1 hour |
| Service-to-service | 15 minutes |
Role-Based Access Control
Principle of Least Privilege
Assign the minimum role needed for each user or API client:
| Task | Minimum Role |
|---|---|
| View balances and txs | Viewer |
| Create transactions | Operator |
| Approve transactions | Approver |
| Manage vault settings | VaultAdmin |
| Manage organization users | OrgAdmin |
| Emergency suspension | SecurityOfficer |
Segregation of Duties
Ensure no single person can both initiate and approve a transaction:
| Role | Can Initiate | Can Approve | Can Sign |
|---|---|---|---|
| Operator | ✅ | ❌ | ❌ |
| Approver | ❌ | ✅ | ❌ |
| Signer | ❌ | ❌ | ✅ |
| VaultAdmin | ✅ | ✅ | ❌ |
| Treasurer | ✅ | ✅ | ❌ |
Suspend Compromised Clients
If a client's credentials are compromised, suspend immediately:
curl -X PATCH -H "Authorization: Bearer $TOKEN" \
https://api.carabaas.com/api/v1/organizations/clients/{clientId}/suspend
Quorum Policies
Design Principles
- Low-value vaults (hot wallets) — lower quorum (1-of-2 or automated)
- High-value vaults (treasury, customer funds) — higher quorum (2-of-3 or 3-of-5)
- Different approver pools — use separate groups for different risk levels
- Automated vs. manual — API co-signers for automated approval, human approval for high-value
Example: Three-Tier Policy
| Vault | Quorum | Approvers | Use Case |
|---|---|---|---|
| Hot Operations | 1-of-2 | API + Ops Lead | Daily withdrawals |
| Customer Funds | 2-of-3 | Compliance + Ops + Finance | Customer payouts |
| Treasury | 3-of-5 | CEO + CFO + COO + CTO + CISO | Large movements |
Cosigner Security
Unseal Key Holder Selection
Choose unseal key holders from different departments and different geographic locations:
- Key Holder 1: Security team (Location A)
- Key Holder 2: Operations team (Location B)
- Key Holder 3: Executive team (Location C)
No single department or location compromise can unseal the cosigner.
Cosigner Monitoring
Monitor the cosigner's status endpoint and alert on state changes:
| Status | Alert Level | Action |
|---|---|---|
ready | Normal | None |
sealed | Warning | Contact unseal key holders |
disconnected | Critical | Investigate network/server issues |
Security Checklist
| Item | Status |
|---|---|
| RSA keys stored in HSM or secret manager | ☐ |
| JWT lifetime set to minimum needed | ☐ |
| API key rotation schedule defined | ☐ |
| Roles follow least-privilege principle | ☐ |
| Initiation and approval separated | ☐ |
| Quorum policies match risk levels | ☐ |
| Unseal key holders in separate departments | ☐ |
| Cosigner monitoring and alerting active | ☐ |
| Address book whitelisting enabled | ☐ |
| Audit log export configured | ☐ |