To help achieve the successful development of your application, when
using the Companies House API you should adhere to a few simple
guidelines:
Data is mostly returned as JSON documents. Your application must
tolerate the order of document members changing over time, and expect to
receive members it hasn't seen before.
The API can only be accessed over TLS. We recommend using TLS 1.2.
It is important to keep your API keys secure, to prevent them being
discovered, your account being compromised and your rate-limit quota
being exceeded. There are a few best practices that can help with this:
-
Storing keys in your application code increases the risk that they
will be discovered, particularly if any of your source code is made
public, or can be viewed by people who should not have access to the
key. Instead, you should consider storing them inside environment
variables or configuration.
-
If you store API keys in files, perhaps inside a configuration or
environment file, these should not be stored inside the application
source tree, just in case part or all of the source is made public
or can be viewed by people who should not have access to the key.
-
Limiting the use of a key to a specific IP address or domain will
reduce the usefulness of a key that becomes compromised.
-
By regenerating your API keys regularly, and certainly with each
application release, you can lessen the chance that a key will be
discovered.
-
Removing obsolete keys from your Developer Hub
registered-applications page limits the number of entry points into
your account.