whizur.ai
whizurai
Get Started

Security

Best practices for securing your API keys and applications.

API Key Handling

API keys are the primary authentication mechanism for WhizAI. Here's what you need to know:

Key Format

API keys follow this format:

cw_{environment}_{random_string}

Examples: cw_development_..., cw_production_...

Key Generation

  • Keys are generated using cryptographically secure random generation
  • Full key is only shown once when created - store it securely
  • Key prefix (first 12 characters) is visible in dashboard for identification
  • Keys are hashed before storage (plaintext is never stored)

App-Level Isolation

Each app is completely isolated:

  • API keys are scoped to a specific app
  • Data is isolated per app (no cross-app access)
  • Usage is tracked per app
  • Workflows are scoped to apps

This means you can safely use the same WhizAI account for multiple projects without data leakage.

Permission Scopes

API keys can have different permission scopes to limit what they can do:

  • generation.create - Create generation requests
  • generation.read - Read generation results
  • workflows.read - Read workflow runs
  • workflows.write - Create workflow runs
  • vector.search - Perform searches
  • vector.write - Ingest data
  • enrichment.* - All enrichment operations
  • moderation.* - All moderation operations

Use the principle of least privilege - only grant the scopes your application needs.

Best Practices for Production

1. Store Keys Securely

  • Never commit API keys to version control
  • Use environment variables or secret management services
  • Rotate keys regularly
  • Use different keys for different environments

2. Use Appropriate Scopes

  • Create separate keys for different services
  • Use read-only keys when possible
  • Limit write permissions to services that need them

3. Monitor Usage

  • Check usage regularly in your dashboard
  • Set up alerts for unusual activity
  • Revoke keys that are no longer needed

4. Use HTTPS

Always use HTTPS when making API calls. Never send API keys over unencrypted connections.

What WhizAI Does NOT Do

For transparency and trust, here's what WhizAI does NOT do:

  • We do NOT store your API keys in plaintext
  • We do NOT share your data between apps
  • We do NOT use your data to train models (unless explicitly agreed)
  • We do NOT log request/response bodies (only metadata)
  • We do NOT expose your data to other customers

Need Help?

If you suspect a key has been compromised, revoke it immediately in your dashboard and generate a new one.

API Reference