Security

Advanced: Security Best Practices

Security is paramount when interacting with APIs, especially those handling potentially sensitive data or financial transactions. Follow these best practices when integrating with REALM AI.

Authentication

Protect Credentials: Treat your API Key and especially your API Secret as highly confidential passwords.
- Never embed secrets directly in client-side code (JavaScript in browsers, mobile apps).
- Store secrets securely on your backend servers using environment variables or dedicated secret management systems (e.g., AWS Secrets Manager, HashiCorp Vault).
- Generate signatures exclusively on your secure backend.
Key Rotation: Implement a process for regularly rotating API keys. This limits the window of opportunity if a key is compromised.
Least Privilege: If REALM AI offers API keys with different permission scopes in the future, use keys with the minimum permissions necessary for their specific task.

Input Validation & Sanitization

Client-Side: Validate user input in your application before sending it to the REALM AI API (e.g., check prompt length, image format/size).
Server-Side: Although REALM AI performs its own validation, assume all external input could be malicious. Sanitize data used in prompts or metadata if it originates from untrusted user input on your end.

Transport Security

HTTPS Only: All communication with api.realm.ai must use HTTPS (TLS 1.2 or higher) to encrypt data in transit.

Webhook Security

Verify Signatures: Always verify the X-Webhook-Signature on incoming webhook requests using your shared secret to confirm they originate from REALM AI. See the Webhooks guide.
HTTPS Endpoint: Ensure your webhook receiving endpoint uses HTTPS.
Rate Limiting/Firewall: Protect your webhook endpoint from denial-of-service attacks.

Solana Wallet Security

User Responsibility: Educate your users about standard Solana wallet security practices (seed phrase protection, avoiding phishing links).
Transaction Review: Ensure your application clearly presents the details of any Solana transaction it asks the user to sign via their wallet.
Never Ask for Private Keys: Your application should never ask for or handle user private keys or seed phrases directly. Signing should always be delegated to the user's wallet software.

Dependency Management

Keep your application's dependencies (including HTTP clients, crypto libraries, and any REALM AI SDKs) up-to-date to patch known vulnerabilities.

Monitoring and Logging

Log relevant API interactions (request IDs, timestamps, job IDs, errors) on your backend to aid in debugging and security incident investigation. Avoid logging sensitive data like full API secrets or user PII unless necessary and properly secured.

By adhering to these practices, you can build secure and reliable applications leveraging the REALM AI platform.

PreviousRate Limiting NextVersions

Last updated 1 month ago

Advanced: Security Best Practices

Security is paramount when interacting with APIs, especially those handling potentially sensitive data or financial transactions. Follow these best practices when integrating with REALM AI.

Authentication

Protect Credentials: Treat your API Key and especially your API Secret as highly confidential passwords.

Never embed secrets directly in client-side code (JavaScript in browsers, mobile apps).
Store secrets securely on your backend servers using environment variables or dedicated secret management systems (e.g., AWS Secrets Manager, HashiCorp Vault).
Generate signatures exclusively on your secure backend.

Key Rotation: Implement a process for regularly rotating API keys. This limits the window of opportunity if a key is compromised.

Least Privilege: If REALM AI offers API keys with different permission scopes in the future, use keys with the minimum permissions necessary for their specific task.

Input Validation & Sanitization

Client-Side: Validate user input in your application before sending it to the REALM AI API (e.g., check prompt length, image format/size).

Server-Side: Although REALM AI performs its own validation, assume all external input could be malicious. Sanitize data used in prompts or metadata if it originates from untrusted user input on your end.

Transport Security

HTTPS Only: All communication with api.realm.ai must use HTTPS (TLS 1.2 or higher) to encrypt data in transit.

Webhook Security

Verify Signatures: Always verify the X-Webhook-Signature on incoming webhook requests using your shared secret to confirm they originate from REALM AI. See the Webhooks guide.

HTTPS Endpoint: Ensure your webhook receiving endpoint uses HTTPS.

Rate Limiting/Firewall: Protect your webhook endpoint from denial-of-service attacks.

Solana Wallet Security

User Responsibility: Educate your users about standard Solana wallet security practices (seed phrase protection, avoiding phishing links).

Transaction Review: Ensure your application clearly presents the details of any Solana transaction it asks the user to sign via their wallet.

Never Ask for Private Keys: Your application should never ask for or handle user private keys or seed phrases directly. Signing should always be delegated to the user's wallet software.

Dependency Management

Keep your application's dependencies (including HTTP clients, crypto libraries, and any REALM AI SDKs) up-to-date to patch known vulnerabilities.

Monitoring and Logging

Log relevant API interactions (request IDs, timestamps, job IDs, errors) on your backend to aid in debugging and security incident investigation. Avoid logging sensitive data like full API secrets or user PII unless necessary and properly secured.

By adhering to these practices, you can build secure and reliable applications leveraging the REALM AI platform.