- Keys are hashed server-side; never store the plain text value after the initial reveal.
- Rotate keys through the Cloud API or upcoming console forms so the event store tracks revocation events.
- Limit who can access the operator console where developer keys are created, since those keys unlock privileged actions.
API Key Management
API Key Security
Follow the same safeguards the platform uses to protect developer and project keys.
Security recommendations mirror the controls implemented in the backend: