Principle of Least Privilege
Only grant tokens the permissions needed for their task. Broad permissions create unnecessary risk if the token is compromised. Even though Monimeβs permission intersection prevents tokens from exceeding their creatorβs authority, always scope them to the minimum required.Secure Token Practices
Tokens are shown once on creationβstore them securely and immediately afterwards using password manager, secret vault, or encrypted config. Never paste into chat, email, or documents. Document purpose, permissions, creation date, and rotation schedule to prevent forgotten, risky tokens.Shorter Token Lifetime
Shorter lifetimes reduce exposure from leaks but require more rotation. Use short-lived tokens for sensitive operations or automated services that handle rotation easily. Longer lifetimes may be acceptable for lower-risk use, but still rotate regularly.Storage & Handling
Never commit tokens to version controlβeven private repos. Use .gitignore, pre-commit hooks, and secret scanning tools. Separate environmentsβstore production tokens in secure secret managers with audit logs and rotation; use test tokens for development. Use secret management solutionsβAWS Secrets Manager, Azure Key Vault, Google Secret Manager, or HashiCorp Vault to store, rotate, and audit token use.Runtime Usage Practices
Always transmit tokens over HTTPS/TLS; never send them via email or unencrypted channels. Keep tokens in memory only as long as needed; avoid logging them. Sanitize logs, error messages, and monitoring data to prevent leaks.Security is always ongoing. Start with least privilege, secure storage, and monitoring, then layer on advanced protections as your needs grow. By combining multiple controls and keeping security top of mind, you protect your Spaces, and data while staying ready for evolving threats.