> ## Documentation Index
> Fetch the complete documentation index at: https://learn.social.plus/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Enable Secure Mode, manage server & API keys, add mTLS, and compare authentication approaches.

<Info>
  Enable Secure Mode, manage Server & API keys, add mTLS, and compare authentication modes to harden access to Social Plus APIs.
</Info>

<CardGroup cols={3}>
  <Card title="Secure Mode" icon="lock">Require backend mediation</Card>
  <Card title="Server Key" icon="key">One-time secret generation</Card>
  <Card title="API Key" icon="eye">Network identifier</Card>
  <Card title="mTLS" icon="shield">Mutual certificate auth</Card>
  <Card title="Auth Modes" icon="bring-forward">Capability comparison</Card>
  <Card title="Governance" icon="clipboard">Rotation & auditing</Card>
</CardGroup>

## Secure Mode Overview

Without Secure Mode, a client app exchanges API key + userId directly for a long‑lived access token (higher abuse risk). Secure Mode inserts your backend to mint a short‑lived auth token using the Server Key; the client then redeems it for an access token.

<Warning>Always enable Secure Mode in production; unsecure mode is for local testing only.</Warning>

## Enable Secure Mode & Generate Server Key

<Steps>
  <Step title="Navigate">Console → Settings → Security (Integrations tab if grouped).</Step>
  <Step title="Toggle Secure Mode">Confirm impact dialogue.</Step>
  <Step title="Generate Server Key">Displayed once—copy immediately.</Step>
  <Step title="Store Secret">Place in secrets manager (Vault / KMS). Never commit.</Step>
  <Step title="Implement Backend">Add token exchange endpoint using Server Key.</Step>
</Steps>

<Info>Use a non Super‑Admin admin account to generate the Server Key.</Info>

## Authentication Modes

<Tabs>
  <Tab title="Unsecure">Client uses API key + userId → access token (30d). Simplicity, low security.</Tab>
  <Tab title="Secure Mode">Backend mints short (\~10m) auth token using Server Key; client redeems for access token.</Tab>
  <Tab title="Secure + mTLS">Adds mutual TLS between backend and API token endpoint; mitigates MITM & credential replay.</Tab>
</Tabs>

| Mode          | Client Secret Exposure  | Abuse Risk           | Operational Overhead      | Recommended Use                       |
| ------------- | ----------------------- | -------------------- | ------------------------- | ------------------------------------- |
| Unsecure      | API Key only            | High (impersonation) | Low                       | Prototyping only                      |
| Secure        | None (short auth token) | Low                  | Medium (backend endpoint) | Standard production                   |
| Secure + mTLS | None                    | Lowest               | Medium (cert lifecycle)   | High compliance / sensitive workloads |

## Key & Token Concepts

<AccordionGroup>
  <Accordion title="API Key">Public identifier for network; OK in client; no user identity.</Accordion>
  <Accordion title="Server Key">Backend-only secret used to mint auth tokens; rotate periodically.</Accordion>
  <Accordion title="Auth Token">Short-lived token (\~10 min) created via Server Key proving backend mediation.</Accordion>
  <Accordion title="Access Token">Longer-lived user session (\~30 days) returned after auth token redemption.</Accordion>
</AccordionGroup>

## mTLS Certificates

<Steps>
  <Step title="Prerequisite">Secure Mode enabled.</Step>
  <Step title="CSR Creation">Generate CSR (CN = service identity).</Step>
  <Step title="Upload CSR">Settings → Security → “+ Create Certificate”.</Step>
  <Step title="Issue & Activate">After issuance, enable mTLS toggle.</Step>
  <Step title="Deploy Cert">Install cert & private key on backend only; keep outside repo.</Step>
</Steps>

<Info>Maximum 2 active certificates; upload new before disabling old to achieve zero-downtime rotation.</Info>

## Governance & Rotation

<AccordionGroup>
  <Accordion title="Server Key Rotation">Annually or on suspicion; parallel run new & old ≤1h.</Accordion>
  <Accordion title="mTLS Renewal">Track expiry; renew ≥30 days prior.</Accordion>
  <Accordion title="Logging Discipline">Log auth token generation events (userId, timestamp) but never secrets.</Accordion>
  <Accordion title="Incident Response">If key leak: revoke, rotate, invalidate suspicious sessions.</Accordion>
</AccordionGroup>

## Metrics

| Metric                  | Target                  | Trigger                          |
| ----------------------- | ----------------------- | -------------------------------- |
| Unauthorized Attempts   | 0                       | Any → investigate & rotate       |
| Server Key Age (days)   | \< 365                  | ≥ 365 → rotate                   |
| mTLS Coverage (%)       | 100% for auth endpoints | \<100% → migrate remaining calls |
| Auth Token Failure %    | \< 2%                   | Spike → check clocks / code path |
| Cert Expiry Lead (days) | > 30                    | \< 30 → start renewal            |

## Troubleshooting

| Symptom                   | Cause                    | Resolution                                |
| ------------------------- | ------------------------ | ----------------------------------------- |
| 401 on auth token request | Wrong/rotated Server Key | Update secret & redeploy backend          |
| Access token missing      | Auth token not supplied  | Ensure client sends authToken parameter   |
| mTLS handshake fail       | Expired or CN mismatch   | Renew cert; confirm chain validity        |
| High auth failure rate    | Clock skew               | Sync NTP on servers                       |
| Sudden unauthorized spike | Key compromise           | Rotate Server Key immediately; audit logs |

## Quick Reference

<CardGroup cols={2}>
  <Card title="Production Baseline" icon="check">Secure Mode ON</Card>
  <Card title="High Assurance" icon="shield">Add mTLS</Card>
  <Card title="Rotate Key" icon="arrows-repeat">≤12 months</Card>
  <Card title="Cert Renewal" icon="calendar">≥30 day lead</Card>
</CardGroup>

## Related

<CardGroup cols={2}>
  <Card title="Admin Tokens" icon="key" href="./admin-tokens">Lifecycle management</Card>
  <Card title="Integrations" icon="plug" href="./integrations">Webhooks & Push</Card>
</CardGroup>

<CardGroup cols={2}>
  <Card title="Branding" icon="image" href="./branding">Logo & brand account</Card>
  <Card title="Admin Access" icon="users" href="/analytics-and-moderation/console/management/admin-access-control">Role governance</Card>
</CardGroup>