API key management
API keys provide programmatic access to your deployments and should be handled as sensitive credentials. See API keys for creation, scoping, and rotation.Restrict API keys
When creating a key, restrict it to the minimum set of models it needs to access.- Keys can be limited to specific models.
- Avoid keys configured to access all models unless absolutely necessary.
- Rotate keys every 90 days and refresh immediately if compromised.
Store keys securely
- Never embed keys in frontend code or public repositories.
- Use environment variables or encrypted secret managers.
- Avoid logging keys or including them in error reports.
Model IDs
Model IDs are less sensitive than API keys but still identify internal resources.- Do not expose model IDs in publicly accessible URLs or client-side assets when avoidable.
- Treat model IDs as internal resource identifiers.
Network and transport
- Use HTTPS for all client–server communication (enforced by the SynapsAI API).
- Run inference from backend services, not browsers, when using secret keys.
Teams and access control
- Use teams with role-based access control for shared accounts.
- Require 2FA for team members handling production deployments.
- Review audit logs for sensitive actions.
Monitoring
- Monitor billing and usage on the Billing page to detect unusual activity.
- Review model Logs and Analytics tabs for anomalous request patterns.
Data handling
Inference data is processed on shared GPU infrastructure and is not sold to third parties. See Data for location, encryption, and retention practices.Incident response
If credentials are exposed:- Refresh or delete the affected API key immediately.
- Log out from all devices if the dashboard account may be compromised.
- Contact support if you need assistance.

