Getting StartedSDKsCapabilitiesAPISecurityResources

Security and Privacy

Recommended controls for secure SDK usage in production environments.

Key management

  • Client runtimes must use public client keys only.
  • Server keys should live only in backend secret stores.
  • Rotate keys on a schedule and during incident response.

Privacy controls

  • Avoid sending raw PII unless explicitly required for targeting.
  • Prefer normalized IDs over direct email/phone in context.
  • Implement attribute allowlists for mobile and browser clients.

Network security

  • Use TLS for all relay communication.
  • Constrain relay origins and CORS where applicable.
  • Apply rate limits and auth verification at relay edge.

Operational controls

  • Log key usage events without exposing full key material.
  • Track fallback/default rates for anomaly detection.
  • Document incident procedures for flag and key compromise.