Security Best Practices

Credential handling

• Store client_secret, metrics key, and refresh tokens only in server-side vault-backed config.
• Rotate secrets on schedule and on incident.
• Never embed privileged keys in launcher binaries.

Role minimization

• Use viewer/member tokens for dashboards that only read.
• Keep owner tokens out of automation scripts.

Incident prevention checklist

• Audit team membership monthly.
• Enforce 2FA for all admins.
• Monitor auth failures and unusual geographic sign-ins.