Operations
Security best practices
Treat FlashML API keys like production credentials and keep model bundle release workflows auditable.
Recommended practices
Secret handling
Store keys in a server-side secret manager and inject them at deploy time.
Environment isolation
Use separate API keys for development, staging, and production services.
Rotation
Create a replacement key, deploy it, verify traffic, then revoke the old key.
Least exposure
Do not send API keys to browsers, customer devices, notebooks, or shared logs.
Upload discipline
Check file size before reserving uploads and complete uploads before the 300 second URL expiry.
Model provenance
Version model bundles from CI and keep checksums or build IDs in your release system.