Security
Security recommendations for Stacksona integrations across visual builders, code frameworks, MCP clients, and HTTP recipes.
Key handling
| Practice | Guidance |
|---|---|
| Use platform secrets | Store Stacksona keys in n8n credentials, environment variables, GitHub secrets, platform vaults, or server-side config. |
| Never expose keys to browsers | SDK and HTTP calls that use the API key must run server side. |
| Separate environments | Use different Gate URLs and API keys for development, staging, and production. |
| Rotate keys | Rotate keys on schedule and after teammate or vendor access changes. |
Data minimization
Send enough context for review, but avoid unnecessary secrets, credentials, raw private data, or full documents when a summary, diff, or fingerprint is enough.
Signed approval tokens
Use signed tokens for financial actions, production deployments, customer data deletion, security changes, account changes, contract changes, and other high-impact actions.
Agent tools security
bash
STACKSONA_AGENT_TOOLS_PROFILE=prod
STACKSONA_AGENT_TOOLS_ALLOWED_ROOTS=/safe/root
STACKSONA_AGENT_TOOLS_DISABLE_FILE_TOOLS=true
STACKSONA_AGENT_TOOLS_MAX_FILE_BYTES=10485760