Round Two

Security

Secure your embedding integration with these best practices

Security

Follow these security best practices to keep your embedding integration secure.

1. Use Public Key (RS256)

Public key method is the only supported and most secure option:

  • Private key never leaves your server
  • No shared secrets to manage
  • Industry standard for JWT signing
  • Better audit trail

2. Short Token Expiration

Keep tokens valid for 5 minutes or less:

  • Reduces risk if token is intercepted
  • Limits damage from compromised tokens
  • Forces regular re-authentication
  • Prevents long-lived token abuse

3. Validate Origins

Only allow trusted domains:

  • Add production and staging domains explicitly
  • Remove domains you no longer use
  • Use wildcards carefully
  • Regularly review allowed origins list

4. Secure Token Endpoint

Protect your token endpoint:

  • Require user authentication
  • Implement rate limiting
  • Log token generation for audit
  • Monitor for suspicious activity

5. Rate Limiting

Implement rate limiting on your token endpoint:

  • Prevent abuse and DoS attacks
  • Limit tokens per user per time period
  • Return appropriate error messages
  • Log rate limit violations

6. Secure Key Storage

Store keys securely:

  • Use environment variables
  • Never commit keys to version control
  • Use secret management services in production
  • Rotate keys periodically
  • Use different keys for production and staging

7. Monitor and Audit

Monitor your integration:

  • Log all token generation attempts
  • Track authentication failures
  • Monitor feedback submission rates
  • Set up alerts for suspicious activity

8. Validate User Data

Ensure user data is valid:

  • Sanitize user input
  • Validate email format
  • Verify avatar URLs are safe
  • Check user permissions if needed

9. HTTPS Only

Always use HTTPS:

  • Protect tokens in transit
  • Prevent man-in-the-middle attacks
  • Ensure secure communication
  • Required for production

10. Regular Key Rotation

Rotate keys periodically:

  • Generate new key pairs regularly
  • Update public key in Round Two
  • Update private key in your application
  • Monitor for any issues during rotation

Feedback

This feature is in public beta. We'd love to hear your thoughts! If you have feedback, suggestions, or encounter any issues, please contact us.

Next Steps

Previous
Testing
Next
Troubleshooting