Skip to main content

Secure API Usage

Follow these best practices to keep your data safe.

Keep API Keys Secret

  • Store keys in environment variables
  • Never commit keys to version control
  • Never include keys in client-side JavaScript

Use Public Access for Frontends

For browser-based applications, enable public access on your cubes and only mark safe columns as public:

Server-Side Only for Write Operations

All write operations (create, update, delete) require an API key. Perform these operations from your server:

Rotate Keys Regularly

If you suspect a key has been compromised, rotate it immediately in the admin panel under Settings > API Keys.

CORS

CubeStack sets appropriate CORS headers for public endpoints. If you need custom CORS configuration, contact support.