Guides›Security Best Practices

Security Best Practices

Never expose API keys client-side.
Rotate project keys periodically.
Verify webhook signatures using raw body.
Use idempotency keys to defend against replayed client retries.
Keep provider keys server-side only; Rooaak stores encrypted values and returns only keyLast4.
Keep contextUrl/webhook targets on trusted domains; Rooaak blocks private/local targets by default.