Keep credentials scoped and server-side
Create narrowly scoped keys, store tokens once, and treat every client-visible environment as untrusted.
Built forIntegration teams
Key lifecycle
- Create keys only from the authenticated owner workflow.
- Request only the scopes your integration needs; conversion ingestion requires conversion:write.
- The complete token is returned only at creation. Store it in a server-side secret store.
- Listings expose metadata and prefix only, never the token or hash.
- Revoke a key immediately when ownership or storage integrity changes.
Request security
Send keys in the Authorization: Bearer header over HTTPS. Never place keys in URLs, browser bundles, analytics events, screenshots, or client-side storage.