Reference

Security

Security recommendations for Stacksona integrations across visual builders, code frameworks, MCP clients, and HTTP recipes.

Key handling

PracticeGuidance
Use platform secretsStore Stacksona keys in n8n credentials, environment variables, GitHub secrets, platform vaults, or server-side config.
Never expose keys to browsersSDK and HTTP calls that use the API key must run server side.
Separate environmentsUse different Gate URLs and API keys for development, staging, and production.
Rotate keysRotate keys on schedule and after teammate or vendor access changes.

Data minimization

Send enough context for review, but avoid unnecessary secrets, credentials, raw private data, or full documents when a summary, diff, or fingerprint is enough.

Signed approval tokens

Use signed tokens for financial actions, production deployments, customer data deletion, security changes, account changes, contract changes, and other high-impact actions.

Agent tools security

bash
STACKSONA_AGENT_TOOLS_PROFILE=prod
STACKSONA_AGENT_TOOLS_ALLOWED_ROOTS=/safe/root
STACKSONA_AGENT_TOOLS_DISABLE_FILE_TOOLS=true
STACKSONA_AGENT_TOOLS_MAX_FILE_BYTES=10485760