Account
Account, team, and security
Security relies on roles, minimal integration permissions, and explicit secret rotation.
- Updated
- 2026-04-19
- Availability
- All accounts, team scope by plan
Rules
- Project access is checked server-side.
- Integrations use the minimum needed scope.
- Content API tokens are hashed, and plaintext is shown once.
- Invites and membership belong to the account model, not a single session.
Operator practice
- Rotate API tokens after provider or team changes.
- Disconnect integrations you no longer use.
- Do not paste secrets into task packs, notes, or generated content.
Continue to API auth
Project tokens are the most important secret for custom stacks.