Documentation menu
Trust

Security

Protect TokenAir API keys, account access, and production traffic.

ExplanationLast updated: July 2, 2026

Key handling

  • Store API keys in a secret manager or deployment environment.
  • Never send API keys to browsers or mobile clients directly.
  • Rotate keys after accidental exposure.
  • Use separate keys for development, staging, and production when available.

Production safeguards

Put your own server between end users and TokenAir. This lets you enforce authentication, rate limits, spend controls, and prompt validation before traffic reaches the API gateway.

Data and logs

TokenAir may process account metadata, request timing, model selection, token usage, status codes, error information, and security logs needed to operate the service. See the Privacy Policy for the public data boundary.

Request metadata

For operational visibility, keep your own request metadata such as internal request ID, user ID hash, model ID, status code, latency, and token counts. Do not store raw API keys. If you log prompts or outputs, make sure your own privacy policy, customer agreements, and retention rules allow it.

Account and legal links

For privacy or terms questions, use your TokenAir account or the early access form. Public legal boundaries are available in the Privacy Policy and Terms of Service.

Next steps