Key Security Recommendations

Keys are essential credentials for device onboarding and API calls and should be managed as sensitive information.

Do Not Expose Keys

Avoid exposing Keys in the following locations:

• Public repositories such as GitHub
• Group chat screenshots
• Public documentation
• Frontend source code
• Mobile app bundles
• Log files
• Support ticket screenshots

Principle of Least Privilege

Use different Keys for different purposes.

For example:

• Use Group Key for device onboarding.
• Use SDK Key for server-side API calls.
• Different service providers or data centers should use independent credentials.
• Test environments and production environments should be separated.

Handling Leaks

If a Key leak is suspected:

1. Stop using the affected Key immediately.
2. Contact the platform side to confirm the scope of impact.
3. Check for unusual device onboarding.
4. Check for unusual API calls.
5. Replace or revoke the affected Key.
6. Update the devices or systems that use that Key.

Log Handling

Do not output the complete Key in logs.

It is recommended to display only a partial mask, for example:

ztg_****_9a3f

This facilitates troubleshooting while reducing the risk of leakage.