Security
Protect TokenAir API keys, account access, and production traffic.
Key handling
- Store API keys in a secret manager or deployment environment.
- Never send API keys to browsers or mobile clients directly.
- Rotate keys after accidental exposure.
- Use separate keys for development, staging, and production when available.
Production safeguards
Put your own server between end users and TokenAir. This lets you enforce authentication, rate limits, spend controls, and prompt validation before traffic reaches the API gateway.
Data and logs
TokenAir may process account metadata, request timing, model selection, token usage, status codes, error information, and security logs needed to operate the service. See the Privacy Policy for the public data boundary.
Request metadata
For operational visibility, keep your own request metadata such as internal request ID, user ID hash, model ID, status code, latency, and token counts. Do not store raw API keys. If you log prompts or outputs, make sure your own privacy policy, customer agreements, and retention rules allow it.
Account and legal links
For privacy or terms questions, use your TokenAir account or the early access form. Public legal boundaries are available in the Privacy Policy and Terms of Service.