Security baseline when integrating RouterBrain inference APIs.
Secret storage
| Layer | Practice |
|---|---|
| Production servers | Secret manager / K8s Secret / cloud SM |
| Test / integration | Keys separate from prod; inject via env or secret store — never commit |
| CI | Pipeline secrets; mask logs |
Never ship production keys in browsers, mobile apps, or static front-end bundles.
BFF / server proxy
Browser ──► Your API ──► RouterBrain gateway
↑
holds API key
Authenticate end users on your API, then call the gateway server-side.
Log redaction
- Do not log full
Authorization/x-api-key. - Safe to log
x-trace-id, status,model(Support information). - Avoid logging full request bodies with PII unless required and redacted.
Least privilege
- Use separate keys for non-production and production workloads.
- Split keys per microservice to limit blast radius.
- Rotate on schedule (Key lifecycle).
Supply chain
- Pin
@routerbrain/sdkversions (Version compatibility). - Verify dependencies do not send keys to unexpected hosts.