Security

This page covers how to keep your FluxRouter API key safe and how to report a security issue. To report a vulnerability or ask a security question, contact hello@fluxrouter.ai.

How should I treat my API key?#

Your API key (sk-...) is a bearer credential. Anyone who has it can make requests that bill to your account, so treat it like a password:

• Keep it server-side. Do not embed it in browser JavaScript, mobile apps, or any client a user can inspect. Make calls to providers from your backend, not from the user's device.
• Use environment variables or a secrets manager. Load the key from an environment variable (for example FLUX_API_KEY) or a secrets manager. Do not paste it into source code.
• Keep it out of version control. Do not commit the key to a repository. Add the files that hold it (such as .env) to your .gitignore.
• Do not share it in logs, screenshots, or support tickets. If you need to share a request for debugging, redact the key first.

What do I do if my key leaks?#

Rotate or revoke the key from your dashboard. Revoking a key immediately stops it from being used; you can issue a new one and update your application to use it. If you believe a key has been exposed, rotate it right away rather than waiting.

How do I report a security issue?#

If you find a security vulnerability or have a concern about the security of the service, email hello@fluxrouter.ai. Please include enough detail to reproduce or understand the issue, and avoid posting it publicly before we have had a chance to respond.

Questions#

For any security question not answered here, contact hello@fluxrouter.ai.