> ## Documentation Index
> Fetch the complete documentation index at: https://docs.synapsai.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Security best practices

> Protect API keys, model access, and inference traffic on SynapsAI Cloud

Strong security practices protect your models, data, and account. This page outlines recommended measures for production workloads.

## API key management

API keys provide programmatic access to your deployments and should be handled as sensitive credentials. See [API keys](/manage/api-keys) for creation, scoping, and rotation.

### Restrict API keys

When creating a key, restrict it to the minimum set of models it needs to access.

* Keys can be limited to specific models.
* Avoid keys configured to access **all** models unless absolutely necessary.
* Rotate keys every 90 days and refresh immediately if compromised.

### Store keys securely

* Never embed keys in frontend code or public repositories.
* Use environment variables or encrypted secret managers.
* Avoid logging keys or including them in error reports.

## Model IDs

Model IDs are less sensitive than API keys but still identify internal resources.

* Do not expose model IDs in publicly accessible URLs or client-side assets when avoidable.
* Treat model IDs as internal resource identifiers.

## Network and transport

* Use HTTPS for all client–server communication (enforced by the SynapsAI API).
* Run inference from backend services, not browsers, when using secret keys.

## Teams and access control

* Use [teams](/guides/team) with role-based access control for shared accounts.
* Require 2FA for team members handling production deployments.
* Review [audit logs](/guides/team#team-roles) for sensitive actions.

## Monitoring

* Monitor billing and usage on the [Billing](https://platform.synapsai.cloud/billing) page to detect unusual activity.
* Review model **Logs** and **Analytics** tabs for anomalous request patterns.

## Data handling

Inference data is processed on [shared GPU infrastructure](/isolation) and is not sold to third parties. See [Data](/resources/data) for location, encryption, and retention practices.

## Incident response

If credentials are exposed:

1. [Refresh or delete](/manage/api-keys) the affected API key immediately.
2. [Log out from all devices](/manage/account#sessions--logout) if the dashboard account may be compromised.
3. Contact [support](/support/contacting-support) if you need assistance.
