Key management fundamentals
API keys should be workspace-scoped, revocable, and rotated with minimal downtime. Secret values must stay server-side only.
Treat each key as production infrastructure. Document owners, usage boundaries, and renewal cadence.
Team roles and project scoping
Not every collaborator needs full workspace permissions. Restrict project access where possible and separate billing, template, and operational responsibilities.
Granular access reduces blast radius and makes incident forensics clearer.
Audit trails that help in incidents
Track critical actions such as project creation, service changes, template updates, and outbound send failures with actor and timestamp metadata.
Fast incident response depends on having trustworthy history, not only uptime dashboards.
- Server-only API key usage
- Role-based team access
- Action-level audit history
- Documented escalation contacts