Operations

Security best practices

Treat FlashML API keys like production credentials and keep model bundle release workflows auditable.

Recommended practices

Secret handling

Store keys in a server-side secret manager and inject them at deploy time.

Environment isolation

Use separate API keys for development, staging, and production services.

Rotation

Create a replacement key, deploy it, verify traffic, then revoke the old key.

Least exposure

Do not send API keys to browsers, customer devices, notebooks, or shared logs.

Upload discipline

Check file size before reserving uploads and complete uploads before the 300 second URL expiry.

Model provenance

Version model bundles from CI and keep checksums or build IDs in your release system.