> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cubestack.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure API Usage

> Best practices for securely using the CubeStack API.

# Secure API Usage

Follow these best practices to keep your data safe.

## Keep API Keys Secret

* Store keys in environment variables
* Never commit keys to version control
* Never include keys in client-side JavaScript

```bash theme={null}
# .env
CUBESTACK_API_KEY=your-api-key
```

## Use Public Access for Frontends

For browser-based applications, enable public access on your cubes and only mark safe columns as public:

```javascript theme={null}
// No API key needed — only public columns returned
const response = await fetch('https://api.cubestack.app/api/v1/my-project/products');
```

## Server-Side Only for Write Operations

All write operations (create, update, delete) require an API key. Perform these operations from your server:

```javascript theme={null}
// Server-side only
await fetch('https://api.cubestack.app/api/v1/my-project/products', {
  method: 'POST',
  headers: {
    'X-Api-Key': process.env.CUBESTACK_API_KEY,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ title: 'New Product' })
});
```

## Rotate Keys Regularly

If you suspect a key has been compromised, rotate it immediately in the admin panel under **Settings > API Keys**.

## CORS

CubeStack sets appropriate CORS headers for public endpoints. If you need custom CORS configuration, contact support.
