Security
MyTokenGate’s security practices and your responsibilities.
Data Security
Encryption
- In Transit: All API communications use TLS 1.3 encryption
- At Rest: Sensitive data encrypted with AES-256
- Key Storage: API keys hashed with SHA-256
Data Retention
- Request logs retained for 30 days
- No prompt/response storage by default
- Billing data retained per legal requirements
Data Privacy
- No training on your data
- No data sharing with third parties
- GDPR and SOC 2 compliant
API Key Security
Best Practices
- Never hardcode keys in source code
- Use environment variables for key storage
- Rotate keys regularly (recommended: every 90 days)
- Use separate keys for different environments
- Monitor key usage for anomalies
Key Management
# Good: Environment variable
export MYTOKENGATE_API_KEY="sk-xxx"
# Bad: Hardcoded
const apiKey = "sk-xxx" # Never do this!Key Scopes
- Read-only: View account and usage
- Full access: All API operations
- Project-specific: Limited to one project
Access Control
Authentication
- Bearer token authentication
- JWT for session management
- Optional IP allowlisting
Authorization
- Role-based access control (RBAC)
- Team member permissions
- API key restrictions
Compliance
Certifications
- SOC 2 Type II certified
- GDPR compliant
- CCPA compliant
Audit Logs
- All access logged
- 90-day retention
- Exportable for compliance
Your Responsibilities
Secure Development
- Validate and sanitize all inputs
- Implement proper error handling
- Use HTTPS for all communications
Monitoring
- Monitor API usage patterns
- Set up alerts for anomalies
- Review audit logs regularly
Incident Response
- Have a key revocation plan
- Know how to contact support
- Document security procedures
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- Email: security@mytokengate.com
- Do not disclose publicly until resolved
- We respond within 24 hours
Last updated on