Skip to main content
Follow these practices to keep your integration and your users safe.

API Key Security

Your API key grants full access to your project. Treat it like a password.
  • Store in environment variables — never hardcode keys in source code or commit them to version control
  • Server-side only — API keys should only be used on your backend. Never expose them in client-side code, mobile apps, or browser JavaScript
  • Rotate when compromised — if you suspect a key has been leaked, regenerate it immediately from the Mufi Dashboard
  • Least privilege — use read-only keys for endpoints that only need to query data

Dashboard Access

  • Limit access — only grant Mufi Dashboard access to team members who need it
  • Use strong authentication — set up a time-based one-time password (e.g., Google Authenticator) for your dashboard account
  • Audit regularly — review who has access to your project and remove inactive team members

Transport Security

  • Always use HTTPS — all requests to the Mufi API must use HTTPS. Never make API calls over plain HTTP
  • Validate SSL certificates — ensure your HTTP client verifies SSL certificates to prevent man-in-the-middle attacks

Frontend Security

If your application has a frontend that interacts with your backend (which then calls the Mufi API):

Content Security Policy (CSP)

  • Enforce a strict CSP to prevent cross-site scripting (XSS) attacks
  • Limit permissible JavaScript sources and avoid unsafe-inline
  • Set appropriate frame-src directives if embedding content

CORS Configuration

  • Specify exact origins — avoid wildcards (*) in production
  • Be especially strict in your production environment (no localhost origins)
  • Review CORS settings when deploying to new domains

General

  • Implement TLS/HTTPS for all requests from your frontend to your backend
  • Avoid open redirects that could be exploited for phishing
  • Sanitize all user input before processing

Incident Response

If a team member’s account is compromised:
  1. Immediately regenerate all API keys for affected projects
  2. Review recent activity in the Mufi Dashboard for unauthorized actions
  3. Revoke access for the compromised account
  4. Contact us at connect@mufi.app if you suspect unauthorized API activity