Skip to content
English - United Kingdom
  • There are no suggestions because the search field is empty.

What are the security best practices for integrating with the agentOS API?

Always store API keys server-side, use HTTPS for all requests, validate inputs and outputs, and never expose keys in client-side code, logs, or version control.

Securing your API key

Your API key is your primary credential for accessing the agentOS API. It must be treated as a secret at all times.

  • Store keys in environment variables or secure server-side configuration — never hardcode them
  • Exclude configuration files containing keys from version control (e.g. add to .gitignore)
  • Load keys at application startup, not at runtime from user input
  • Never expose keys in frontend JavaScript, HTML, mobile app code, URLs, application logs, error messages, or public documentation

Using HTTPS

All requests must use https://live-api.letmc.com. HTTP is not supported. Ensure your HTTP client:

  • Validates SSL certificates (never disable certificate validation)
  • Uses TLS 1.2 or higher
  • Sets sensible connection and read timeouts (30–60 seconds)

Handling data securely

Input validation: Validate data before sending it to the API — check required fields, data types, field lengths, and use UTF-8 encoding for all text.

Output handling: Validate API responses before processing. Sanitise data from API responses before displaying it to users. Escape HTML characters when rendering API data in web interfaces to prevent XSS vulnerabilities.

Error handling

  • Show generic error messages to end users — do not expose technical details or API responses
  • Log detailed error information securely on your server for debugging
  • Handle HTTP status codes appropriately (401, 403, 429, 500, etc.)
  • Implement exponential backoff or fixed delays for retries

Application security

  • Keep API keys on the server — never in client-side code
  • Separate development and production environments
  • Limit access to production systems
  • Keep dependencies and libraries updated
  • Review code for security issues before deployment

Logging

  • Log API interactions and errors for monitoring, but never log API keys, passwords, or personal data
  • Protect log files from unauthorised access
  • Establish appropriate log retention policies
  • Monitor for unusual activity or high error rates