Settings
Security
Enable Secure Mode, manage server & API keys, add mTLS, and compare authentication approaches.
Enable Secure Mode, manage Server & API keys, add mTLS, and compare authentication modes to harden access to Social Plus APIs.
Secure Mode
Require backend mediation
Server Key
One-time secret generation
API Key
Network identifier
mTLS
Mutual certificate auth
Auth Modes
Capability comparison
Governance
Rotation & auditing
Secure Mode Overview
Without Secure Mode, a client app exchanges API key + userId directly for a long‑lived access token (higher abuse risk). Secure Mode inserts your backend to mint a short‑lived auth token using the Server Key; the client then redeems it for an access token.Always enable Secure Mode in production; unsecure mode is for local testing only.
Enable Secure Mode & Generate Server Key
1
Navigate
Console → Settings → Security (Integrations tab if grouped).
2
Toggle Secure Mode
Confirm impact dialogue.
3
Generate Server Key
Displayed once—copy immediately.
4
Store Secret
Place in secrets manager (Vault / KMS). Never commit.
5
Implement Backend
Add token exchange endpoint using Server Key.
Use a non Super‑Admin admin account to generate the Server Key.
Authentication Modes
Client uses API key + userId → access token (30d). Simplicity, low security.
| Mode | Client Secret Exposure | Abuse Risk | Operational Overhead | Recommended Use |
|---|---|---|---|---|
| Unsecure | API Key only | High (impersonation) | Low | Prototyping only |
| Secure | None (short auth token) | Low | Medium (backend endpoint) | Standard production |
| Secure + mTLS | None | Lowest | Medium (cert lifecycle) | High compliance / sensitive workloads |
Key & Token Concepts
API Key
API Key
Public identifier for network; OK in client; no user identity.
Server Key
Server Key
Backend-only secret used to mint auth tokens; rotate periodically.
Auth Token
Auth Token
Short-lived token (~10 min) created via Server Key proving backend mediation.
Access Token
Access Token
Longer-lived user session (~30 days) returned after auth token redemption.
mTLS Certificates
1
Prerequisite
Secure Mode enabled.
2
CSR Creation
Generate CSR (CN = service identity).
3
Upload CSR
Settings → Security → “+ Create Certificate”.
4
Issue & Activate
After issuance, enable mTLS toggle.
5
Deploy Cert
Install cert & private key on backend only; keep outside repo.
Maximum 2 active certificates; upload new before disabling old to achieve zero-downtime rotation.
Governance & Rotation
Server Key Rotation
Server Key Rotation
Annually or on suspicion; parallel run new & old ≤1h.
mTLS Renewal
mTLS Renewal
Track expiry; renew ≥30 days prior.
Logging Discipline
Logging Discipline
Log auth token generation events (userId, timestamp) but never secrets.
Incident Response
Incident Response
If key leak: revoke, rotate, invalidate suspicious sessions.
Metrics
| Metric | Target | Trigger |
|---|---|---|
| Unauthorized Attempts | 0 | Any → investigate & rotate |
| Server Key Age (days) | < 365 | ≥ 365 → rotate |
| mTLS Coverage (%) | 100% for auth endpoints | <100% → migrate remaining calls |
| Auth Token Failure % | < 2% | Spike → check clocks / code path |
| Cert Expiry Lead (days) | > 30 | < 30 → start renewal |
Troubleshooting
| Symptom | Cause | Resolution |
|---|---|---|
| 401 on auth token request | Wrong/rotated Server Key | Update secret & redeploy backend |
| Access token missing | Auth token not supplied | Ensure client sends authToken parameter |
| mTLS handshake fail | Expired or CN mismatch | Renew cert; confirm chain validity |
| High auth failure rate | Clock skew | Sync NTP on servers |
| Sudden unauthorized spike | Key compromise | Rotate Server Key immediately; audit logs |
Quick Reference
Production Baseline
Secure Mode ON
High Assurance
Add mTLS
Rotate Key
≤12 months
Cert Renewal
≥30 day lead