> ## Documentation Index > Fetch the complete documentation index at: https://docs.suprsend.com/llms.txt > Use this file to discover all available pages before exploring further. # Best Practices for Key & Token Management > How to securely manage Workspace Keys, Secrets, API Keys, and Service Tokens in your application and backend code. SuprSend provides multiple authentication methods, each with different scopes: * **Workspace Key & Secret** → Backend SDK authentication * **API Keys** → REST API authentication per workspace * **Service Tokens** → Management API authentication across workspaces This guide covers best practices for keeping them secure. *** ## 1. Workspace Key & Secret * Pre-generated for each workspace. * Used only with **backend SDKs**. * Safer by design as the **Workspace Secret is never transmitted over the network**. **Best Practices**: * Never share Workspace Secrets (not even with SuprSend support). * Store them securely in environment variables or a key management system. * Rotate if compromised or leaked. Secret rotation option is not currently exposed to SuprSend dashboard. Please reach out to [support@suprsend.com](mailto:support@suprsend.com) for secret rotation. *** ## 2. API Keys * Used for authenticating **REST API requests** at the workspace level. * Each workspace has its own set of API Keys, isolating staging and production workspaces. **Best Practices**: * Treat API Keys as sensitive secrets - never expose them in client-side code. * Always store keys securely (as environment variables or in a secure vault). * Rotate periodically (for example, every 6 months). * Rotate immediately if a key is compromised or accidentally exposed. * Monitor API usage for anomalies on [SuprSend dashboard -> Logs (Requests tab)](https://app.suprsend.com/en/staging/logs/requests?last_n_minutes=1440) (unexpected spikes, unauthorized calls). *** ## 3. Service Tokens * Used to authenticate **Management APIs**. * Scoped at the **account level**, allowing cross-workspace operations (for example, promoting workflows from staging → production). * Provide higher privilege than API Keys, so require stricter handling. **Best Practices**: * Limit use of Service Tokens to CI/CD pipelines and automation - avoid day-to-day manual use. * Store them as environment variable or encrypted secrets manager. * Rotate on a scheduled basis (every 6–12 months). * Rotate immediately if exposed or if a privileged user leaves the team. * Maintain strict access control - only admins or automation systems should have access. *** ## General Security Guidelines 1. **Never commit keys/tokens** to version control (for example, GitHub). 2. **Use environment variables** or a **Key Management Service** (for example, AWS KMS, HCP Vault, GCP Secret Manager). 3. **Follow least privilege principle** — share keys only with systems or people that need them. 4. **Set up monitoring & alerts** for unauthorized or unusual activity. 5. **Rotate keys/tokens** regularly and immediately upon suspected compromise. *** ## Rotation Strategy * **Scheduled Rotation** * API Keys → every 6 months * Service Tokens → every 6–12 months * Workspace Secrets → rotate if organizational policy requires * **Ad-Hoc Rotation** * Immediately upon exposure (logs, repositories, screenshots) * On suspicious activity or abuse * When a team member with access leaves