Authentication

API keys

• Keys are scoped to a workspace/environment.
• Keys should be rotated on a schedule or after any exposure.
• Use separate keys for dev/staging/prod.

Recommended security practices

• Store keys in secrets managers (AWS Secrets Manager, GCP Secret Manager, Vault).
• Never ship keys to client-side applications.
• Restrict access with role-based permissions in your organization.
• Log key usage and alert on anomalies.

Request signing (optional, recommended for high-security)

For enterprise deployments, TrustRouter can support additional verification layers such as:

• IP allowlists
• Signed webhook verification
• Request signatures for internal services