# Security > Security practices in PromptRails including encryption, authentication, API key security, and access control. Source: https://0.0.0.0:8080/docs/security PromptRails is designed with security as a core concern. This page covers the encryption, authentication, authorization, and operational security measures built into the platform. ## Encryption ### At Rest - **Credentials** are encrypted before storage and never exposed in API responses. - **Passwords** are securely hashed to prevent brute-force attacks. - **Webhook trigger tokens** are encrypted before storage. - **PIN codes** for Agent UI deployments are hashed. ### In Transit - All API communication is encrypted via TLS. - WebSocket connections use secure WebSocket (WSS). ## Authentication ### User Authentication User authentication uses short-lived access tokens and refresh tokens. Multi-factor authentication (TOTP) is supported and can be enforced at the workspace level. ### API Key Authentication API keys provide programmatic access: - Keys are cryptographically generated - Only a hash is stored — the raw key is shown once at creation time - Keys are validated on every request ## API Key Security ### Scopes API keys support fine-grained scopes that follow the principle of least privilege. Always grant the minimum scopes needed for each integration. See [API Keys & Scopes](/docs/api-keys-and-scopes) for the full list. ### IP Restrictions API keys can be restricted to specific IP addresses or CIDR ranges from the PromptRails dashboard when you create or edit a key. Requests from non-allowed IPs are rejected with `403 Forbidden`. ### CORS Origin Restrictions For browser-based applications, API keys can restrict which origins are allowed by configuring an origin allowlist in the dashboard. ### Key Expiration Set expiration dates on API keys to enforce rotation: ## Rate Limiting PromptRails applies rate limiting to protect against abuse. Limits vary by endpoint and plan. ## Authorization ### Workspace Isolation All resources are workspace-scoped. Users can only access resources within workspaces they are members of. There is no cross-workspace data access. ### Role-Based Access Control Three workspace roles control user permissions: | Role | Level | | ----- | ------------------------------------------ | | Owner | Full control, including workspace deletion | | Admin | Resource and team management | | User | Resource usage with limited management | ### Credential Masking Credential values are never returned in API responses. Only a masked version is shown: ``` sk-proj-abc...xyz9 ``` The full value is only available at creation time and is encrypted immediately. ## Data Retention Deleted resources are retained for recovery and audit purposes. Historical references remain valid, and audit trails are preserved. ## Best Practices - Use API keys with the minimum required scopes - Set IP restrictions on production API keys - Enable MFA for all team members - Set key expiration dates and rotate regularly - Use CORS restrictions for browser-based integrations ## Reporting Vulnerabilities If you discover a security vulnerability, please report it to [security@promptrails.ai](mailto:security@promptrails.ai). ## Related Topics - [API Keys and Scopes](/docs/api-keys-and-scopes) -- Detailed API key management - [Credentials](/docs/credentials) -- Credential management - [Team and Roles](/docs/team-and-roles) -- Access control