Security Best Practices
A summary of security principles for the platform's credentials and sensitive data.
API keys
- An API key is the identity credential for API calls. Keep it safe, do not share it with others, and do not commit it to version control.
- Inject the
your-api-key-herevalue in code samples via environment variables or a secret manager instead of hardcoding it. - Create a separate key for each use case and set a Budget Limit — even if a key leaks, the loss is capped at the limit. Disable or delete keys you no longer use.
- A key's content is shown only once, at creation time. If lost, create a new key and rotate out the old one.
Account
- Passwords must be at least 8 characters and include uppercase and lowercase letters, digits, and symbols. You can also log in with a Google or GitHub account and rely on that service's security mechanisms.
- After a password change, the platform logs out all sessions; log back in with the new password.
Container workloads
- Store sensitive settings (tokens, connection strings) in Secrets and mount them as environment variables; do not enter them directly in the deployment settings' environment variable fields.
- Manage login credentials for third-party container registries centrally with credential keys.