> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turrisfi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Best Practices

> Best practices for securing your Turris API integration

To ensure the security of your integration, follow these best practices:

## Credential Protection

<Warning>
  **Never expose your `clientId` or `clientSecret` in frontend code.**
</Warning>

* Store credentials securely using environment variables or a secrets manager
* Rotate credentials periodically according to your security policies
* Use separate credentials for each environment (sandbox vs production)

## Token Management

* Store tokens securely (never in localStorage for sensitive applications)
* Implement proper expiration handling
* **Never pass tokens as URL parameters**
* Cache tokens on your server to minimize token requests

### Token Refresh Strategy

```javascript theme={null}
// Recommended: Refresh token before expiration
const TOKEN_TTL = 60 * 60 * 1000; // 60 minutes in ms
const REFRESH_BUFFER = 5 * 60 * 1000; // 5 minutes buffer

function shouldRefreshToken(tokenIssuedAt) {
  const elapsed = Date.now() - tokenIssuedAt;
  return elapsed > (TOKEN_TTL - REFRESH_BUFFER);
}
```

## Request Security

* **Always use HTTPS** for all API calls
* Validate and sanitize all input data
* Implement appropriate error handling
* Use webhook signature verification for incoming webhooks

## Access Control

* Limit access to API credentials to only those who need it
* Implement the principle of least privilege
* Monitor and audit API usage
* Revoke credentials immediately when team members leave

## Data Protection

* Minimize the amount of sensitive data transmitted
* Implement proper data retention policies
* Handle sensitive data according to regulatory requirements
* Use secure channels for sharing API credentials within your team

## Network Security

For additional security, consider:

* IP allowlisting for your API servers
* Rate limiting on your end to prevent accidental overuse
* Logging all API requests for audit purposes

## Checklist

<Check>Store credentials in environment variables or secrets manager</Check>
<Check>Never expose secrets in frontend code</Check>
<Check>Use HTTPS for all API calls</Check>
<Check>Implement token refresh before expiration</Check>
<Check>Verify webhook signatures</Check>
<Check>Log and monitor API usage</Check>
<Check>Rotate credentials periodically</Check>
