Your authentication token provides access to your licensed products, so it's important to keep it secure and limit how it can be used. One of the simplest and most effective security measures is to rotate your tokens regularly, using the same approach you would take with passwords.
In the Self Service Portal, you can apply additional controls to restrict where and how a token is used.
These include controls such as:
See Managing tokens for a detailed guide on how to add security controls to existing tokens.
The security controls you use should match how and where your integration runs. Different usage models have different risk profiles, so the recommendations below focus on providing the right level of protection without adding unnecessary complexity.
Use this approach when validation requests are made directly from a web page or browser‑based application.
Recommended controls
This combination helps protect against other websites copying your integration code or making unauthorised requests that could result in unexpected usage or charges.
Use this approach when validation requests are made from your own backend systems or services.
Recommended controls
Because these integrations run outside the browser, permitted URLs and CORS controls do not apply.
For additional security, you may choose to avoid exposing your token in client‑side JavaScript and instead route requests through your own back‑end service. This allows you to keep credentials private and apply server‑side controls.
In real‑time, user‑facing scenarios, this approach can introduce a small amount of additional latency due to the extra network hop. When using this pattern, consider performance, availability, and timeout settings to ensure a responsive user experience.
