Back to Blog

Understanding API Security & Domain Verification

Article

June 25, 2026

How Shika Connect Protects Your Account

Our API has two layers of domain-based validation built into the security middleware to ensure requests are legitimate. Here is how it protects your account:

1. The DNS "Handshake" (Domain Ownership)

Before you can even use the Production API, you must complete the Domain Verification process in your dashboard.

  • This proves that you actually own the domain (e.g., api.yourcompany.com) from which you claim to be sending.
  • The system performs a real-time check to see if your website has our specific "ownership code" attached to it.

2. The Request Origin Check

When your application sends an SMS request to our API, our security system inspects the "Origin" or "Referer" header of that digital request.

  • How it works: It checks if the website address where the request started matches your Verified Domain.
  • The Rule: If someone tries to steal your API Key and use it from a different website, our system will see that the request is coming from an unverified location and will instantly block it.

Why this matters for you:

  • Prevents Key Theft: Even if an API Key is accidentally leaked, it will only "unlock" the SMS gateway if the request comes specifically from your website.
  • Protects your Credits: It ensures that only your authorized applications can spend your SMS balance.
  • Brand Safety: It guarantees that messages sent with your company name are actually coming from your real business servers.
Cloud Infrastructure Security
S

Shika Cloud Team

Cloud Infrastructure Experts

Related Technical Resources

Things to Consider Before Buying a Domain Name in Kenya Jun 25, 2026
Domain Names for Government Agencies in Kenya: The .go.ke Guide Jun 25, 2026
Domain Names for Schools in Kenya: .sc.ke and .ac.ke Explained Jun 25, 2026