Security Best Practices

Essential security guidelines for integrating with Tenzro Platform and protecting your applications.

API Key Security

Storage

Never commit API keys to version control
Use environment variables or secret management systems
Rotate keys regularly (recommended: every 90 days)
Use separate keys for development and production

Key Prefixes

Prefix	Environment	Purpose
`tnz_`	All environments	Tenant-prefixed API key (format: tnz_{tenant}_{{secret}})

Authentication

API Key Handling

Store API keys in server-side environment variables only
Never expose API keys in client-side code or NEXT_PUBLIC_ variables
Use API route handlers to proxy requests from client to server
Set key expiration dates and rotate regularly

// Server-side API key usage (correct)
// In your Next.js API route or server action:
const response = await fetch('https://api.platform.tenzro.com/api/wallet/list', {
  headers: {
    'X-API-Key': process.env.TENZRO_API_KEY!, // Server-side only
    'X-Tenant-Id': process.env.TENZRO_TENANT_ID!,
  },
});

Event Stream Security

SSE Connections

Tenzro Platform uses Server-Sent Events (SSE) via NATS JetStream for real-time updates. Always authenticate SSE connections with your API key:

// Secure SSE connection
const eventSource = new EventSource(
  'https://api.platform.tenzro.com/api/events/stream', {
    headers: {
      'X-API-Key': process.env.TENZRO_API_KEY,
      'X-Tenant-Id': process.env.TENZRO_TENANT_ID,
    }
  }
);

Event Stream Best Practices

Use HTTPS endpoints only
Authenticate every SSE connection with API key headers
Implement idempotency (events may be replayed)
Handle reconnection with last-event-id
Process events asynchronously

Input Validation

Always validate and sanitize user inputs:

Validate addresses are properly formatted
Check amounts are within expected ranges
Sanitize all string inputs
Use parameterized queries for database operations

Rate Limiting

Implement client-side rate limiting to prevent accidental abuse:

class RateLimiter {
  private requests: number[] = [];
  private limit: number;
  private window: number;

  constructor(limit: number, windowMs: number) {
    this.limit = limit;
    this.window = windowMs;
  }

  async throttle(): Promise<void> {
    const now = Date.now();
    this.requests = this.requests.filter(t => t > now - this.window);

    if (this.requests.length >= this.limit) {
      const waitTime = this.requests[0] + this.window - now;
      await new Promise(r => setTimeout(r, waitTime));
    }

    this.requests.push(now);
  }
}

Secure Communication

All API requests must use HTTPS
TLS 1.2 or higher is required
Certificate pinning is recommended for mobile apps
Use authenticated SSE connections for real-time event streams

Logging and Monitoring

Log all authentication attempts
Monitor for unusual activity patterns
Set up alerts for failed requests
Never log sensitive data (tokens, keys, passwords)

Incident Response

If you suspect a security incident:

Immediately rotate all API keys
Review audit logs for unauthorized access
Contact security@tenzro.com
Document the incident timeline