API keys

Some workshops use API keys so trusted integrations can talk to TreadOS programmatically. Depending on your deployment, keys may be created in-app or issued by your TreadOS administrator; follow the process your organisation was given.

• Label keys clearly so you know what each integration uses.
• Revoke keys immediately if they are leaked, copied somewhere unsafe, or a vendor relationship ends.

Security expectations

Treat keys like passwords: store them in a secrets manager, never in email, and never in client-side code. They should only live in controlled server-side systems or approved integration platforms.

If you are not sure whether an integration still needs a key, review it and remove stale credentials. Old forgotten keys are one of the easiest ways to carry unnecessary risk.