> ## Documentation Index
> Fetch the complete documentation index at: https://docs.suprsend.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Best Practices for Key & Token Management

> Best practices for securely managing SuprSend workspace keys, secrets, API keys, and service tokens in your backend, mobile, and frontend application code.

SuprSend provides multiple authentication methods, each with different scopes:

* **Workspace Key & Secret** → Backend SDK authentication
* **API Keys** → REST API authentication per workspace
* **Service Tokens** → Management API authentication across workspaces

This guide covers best practices for keeping them secure.

***

## 1. Workspace Key & Secret

* Pre-generated for each workspace.
* Used only with **backend SDKs**.
* Safer by design as the **Workspace Secret is never transmitted over the network**.

**Best Practices**:

* Never share Workspace Secrets (not even with SuprSend support).
* Store them securely in environment variables or a key management system.
* Rotate if compromised or leaked. Secret rotation option is not currently exposed to SuprSend dashboard. Please reach out to [support@suprsend.com](mailto:support@suprsend.com) for secret rotation.

***

## 2. API Keys

* Used for authenticating **REST API requests** at the workspace level.
* Each workspace has its own set of API Keys, isolating staging and production workspaces.

**Best Practices**:

* Treat API Keys as sensitive secrets - never expose them in client-side code.
* Always store keys securely (as environment variables or in a secure vault).
* Rotate periodically (for example, every 6 months).
* Rotate immediately if a key is compromised or accidentally exposed.
* Monitor API usage for anomalies on [SuprSend dashboard -> Logs (Requests tab)](https://app.suprsend.com/en/staging/logs/requests?last_n_minutes=1440) (unexpected spikes, unauthorized calls).

***

## 3. Service Tokens

* Used to authenticate **Management APIs**.
* Scoped at the **account level**, allowing cross-workspace operations (for example, promoting workflows from staging → production).
* Provide higher privilege than API Keys, so require stricter handling.

**Best Practices**:

* Limit use of Service Tokens to CI/CD pipelines and automation - avoid day-to-day manual use.
* Store them as environment variable or encrypted secrets manager.
* Rotate on a scheduled basis (every 6–12 months).
* Rotate immediately if exposed or if a privileged user leaves the team.
* Maintain strict access control - only admins or automation systems should have access.

***

## General Security Guidelines

1. **Never commit keys/tokens** to version control (for example, GitHub).
2. **Use environment variables** or a **Key Management Service** (for example, AWS KMS, HCP Vault, GCP Secret Manager).
3. **Follow least privilege principle** — share keys only with systems or people that need them.
4. **Set up monitoring & alerts** for unauthorized or unusual activity.
5. **Rotate keys/tokens** regularly and immediately upon suspected compromise.

***

## Rotation Strategy

* **Scheduled Rotation**
  * API Keys → every 6 months
  * Service Tokens → every 6–12 months
  * Workspace Secrets → rotate if organizational policy requires

* **Ad-Hoc Rotation**
  * Immediately upon exposure (logs, repositories, screenshots)
  * On suspicious activity or abuse
  * When a team member with access leaves
