- Workspace Key & Secret → Backend SDK authentication
- API Keys → REST API authentication per workspace
- Service Tokens → Management API authentication across workspaces
1. Workspace Key & Secret
- Pre-generated for each workspace.
- Used only with backend SDKs.
- Safer by design as the Workspace Secret is never transmitted over the network.
- Never share Workspace Secrets (not even with SuprSend support).
- Store them securely in environment variables or a key management system.
- Rotate if compromised or leaked. Secret rotation option is not currently exposed to SuprSend dashboard. Please reach out to support@suprsend.com for secret rotation.
2. API Keys
- Used for authenticating REST API requests at the workspace level.
- Each workspace has its own set of API Keys, isolating staging and production environments.
- Treat API Keys as sensitive secrets — never expose them in client-side code.
- Always store keys securely (as environment variables or in a secure vault).
- Rotate periodically (e.g., every 6 months).
- Rotate immediately if a key is compromised or accidentally exposed.
- Monitor API usage for anomalies on SuprSend dashboard -> Logs (Requests tab) (unexpected spikes, unauthorized calls).
3. Service Tokens
- Used to authenticate Management APIs.
- Scoped at the account level, allowing cross-workspace operations (e.g., promoting workflows from staging → production).
- Provide higher privilege than API Keys, so require stricter handling.
- Limit use of Service Tokens to CI/CD pipelines and automation — avoid day-to-day manual use.
- Store them as environment variable or encrypted secrets manager.
- Rotate on a scheduled basis (every 6–12 months).
- Rotate immediately if exposed or if a privileged user leaves the team.
- Maintain strict access control — only admins or automation systems should have access.
General Security Guidelines
- Never commit keys/tokens to version control (e.g., GitHub).
- Use environment variables or a Key Management Service (e.g., AWS KMS, HCP Vault, GCP Secret Manager).
- Follow least privilege principle — share keys only with systems or people that need them.
- Set up monitoring & alerts for unauthorized or unusual activity.
- Rotate keys/tokens regularly and immediately upon suspected compromise.
Rotation Strategy
-
Scheduled Rotation
- API Keys → every 6 months
- Service Tokens → every 6–12 months
- Workspace Secrets → rotate if organizational policy requires
-
Ad-Hoc Rotation
- Immediately upon exposure (logs, repos, screenshots)
- On suspicious activity or abuse
- When a team member with access leaves