Skip to main content

Security baseline

This page lists the minimum security controls you should implement before production.

Secrets and credentials

Service keys are server-to-server credentials for /mgt/v1. Keep them server-side only.
Store secrets in a secret manager. Do not commit them to source control.
Separate environments (dev, staging, prod) with separate realms and separate keys.
Rotate keys periodically and after any suspected exposure.

Least privilege by architecture

Backend services and workers: use Service Key auth for /mgt/v1.
Frontend and mobile: use bearer tokens for /api/v1 only.

Logging

MUST NOT log:

Service key secrets
bearer tokens
raw request bodies that may contain sensitive customer payloads

SHOULD log:

realm_id
principal_id
billing_account_id (if already resolved and safe to store)
Idempotency-Key for writes
X-Request-Id when present

Webhooks (if you use a payment provider)

Verify webhook signatures.
Enforce idempotency on webhook processing.
Handle replay, delay, and out-of-order delivery.

Next

Operational safety: Operational safety
HTTP and auth reference: HTTP and auth

Secrets and credentials
Least privilege by architecture
Logging
Webhooks (if you use a payment provider)
Next