This package is a thin synchronous HTTPS client over the Apier API. It does not store credentials, manage configuration files, or process Norwegian compliance data locally — every business decision happens server-side at https://www.apier.no.
- API key leakage via diagnostic output.
APIER_API_KEYis masked as***inClient.__repr__/Client.__str__. A regression test pins this exactly so the key cannot regain a path into log output without breaking CI. - API key leakage via exception text.
ApierErrorcarries only the parsederror_code+ summaryexplanation+ HTTP status. Raw response bodies, headers, and request URLs are never embedded in the exception — even when the upstream body happens to contain a token-shaped string. - Mistargeted endpoints.
base_urlwith any scheme other thanhttps://is rejected at construction time. The customHttpsOnlyRedirectHandlerrefuses to follow any redirect whose target scheme is nothttps://, even if the API ever accidentally emits one — defence in depth against open-redirect attacks that could leak the Authorization header to a third party. - Cert chain tampering. The client uses
ssl.create_default_context()with no overrides. There is noverify=Falseknob, no custom CA bundle parameter, and no environment variable that disables verification. A user with a broken cert chain must fix the chain or fork. - Supply-chain drift. Zero runtime dependencies — stdlib only (
urllib,ssl,json,dataclasses,typing). The published wheel + sdist are scanned in CI for token-shaped strings before publish, and a separate fork-publish guard ensures the Trusted Publishing OIDC flow only runs on the canonicalPowerLaunch/apier-pythonrepo. - Long-lived publish secrets. Releases use PEP 740 Trusted Publishing via GitHub OIDC. No PyPI token is stored anywhere — not in repo secrets, not in environment, not in any developer's
~/.pypirc.
These sit at the host layer and are out of scope for the library:
- Shell history. Setting
APIER_API_KEY=apier_test_…inline on the command line will record the key in your shell history. Prefer per-sessionexportfrom a non-recorded file, or a secret manager. - CI logs. If you echo
os.environ["APIER_API_KEY"]from a script, the value will land in CI logs verbatim. The library never does that itself. - Local process inspection. On multi-user systems,
ps ewwor equivalent can reveal environment variables to local users with sufficient privilege. The library runs in user space; it cannot defend against an attacker who already has user-level shell access on your machine. - HTTPS proxies that terminate TLS. Corporate MITM proxies with locally trusted CAs will be accepted by the system default SSL context — that is the host operator's policy choice, not the library's. The library has no knob to opt out of the system CA store.
Email security@apier.no.
Please include reproduction steps and the version of apier-no you tested against (python -c "import apier; print(apier.__version__)"). We aim to acknowledge within 48 hours and to publish a fix within 7 days for high-severity issues.
Do not file public GitHub issues for security reports.