Why this guide matters
Projects and API keys are the two most important control surfaces for access governance in Customer Dashboard.Project design recommendations
- Use consistent naming (
team-workload-environment). - Keep prod and non-prod in separate projects.
- Add tags for cost center, owner, and compliance domain.
API key lifecycle
Create
- Create keys per service integration, not per individual user.
- Set explicit expiry dates where possible.
Store
- Store keys only in secure secret managers.
- Never embed keys in frontend bundles or repos.
Rotate
- Rotate regularly and after personnel or ownership changes.
- Prefer dual-key rotation windows to avoid downtime.
Revoke
- Revoke immediately if compromise is suspected.
- Remove unused keys to minimize attack surface.
Common workflows
- Create project for a new product surface.
- Create API key scoped to that project.
- Deploy with secure secret injection.
- Track
last usedand expiry from API key table. - Rotate or revoke based on lifecycle policy.
Validation checklist
- Every key is mapped to exactly one project and service owner.
- Keys have expiry and rotation cadence.
- Revocation process is documented and tested.