Security Best Practices

Protect your code, collaborators, and infrastructure with Partner.js security guidelines and implementation patterns.

Start Securing Now

API Security Practices

Token Management

  • Rotate API keys every 30 days
  • Use scoped tokens with minimal permissions
  • Store secrets in encrypted environment variables

Example: Secure API Call

import { Partner } from 'partner-js';

const client = new Partner({
  apiKey: process.env.PARTNER_API_KEY,
  baseDomain: 'https://api.partner.js'
});

client.code.share({
  code: 'console.log("Secure Share");',
  language: 'javascript'
}).then(response => {
  console.log('Share ID:', response.id);
}).catch(error => {
  console.error('Request failed:', error);
});

Authentication Protocols

OAuth 2.0 Security

Use PKCE for public clients and refresh tokens for long-lived sessions. Always verify ID tokens with JWKS endpoints.

API Key Security

Implement IP whitelisting and rate limiting. Rotate keys after any potential exposure.

Session Management

Implement sliding session expiration and granular permission scopes for all API tokens.

Encryption Requirements

Transport Security

  • Enforce HTTPS with strong TLS 1.2+ cipher suites
  • Always validate SSL certificates for outgoing requests
  • Use HSTS headers on all secure endpoints

Data At Rest

  • AES-256 encryption for all persisted code assets
  • Separate encryption keys for each environment
  • Regular key rotation policies (minimum 90 days)

Security Implementation Checklist

Verify TLS certificate validation

Always validate SSL certificates for all outgoing connections.

Implement rate limiting

Use sliding window rate limiting for all endpoints.

Enable audit logging

Log all access and modify operations with user identifiers.

Sanitize user input

Use content security policies for all client-side code execution.

Security Incident Response

Report Vulnerability

If you discover a security vulnerability in Partner.js infrastructure or APIs, please:

  1. Send detailed report to security@partner.js
  2. Allow 90 days for coordinated vulnerability disclosure
  3. Get a CVE identifier and patch tracking info

Our team follows the ISO 22301 incident management standard for security issues. All security events are:

Logged within 5 minutes

Escalated to engineering within 10 minutes

Communicated to stakeholders within 2 hours

Fixed within 24 hours for high-severity issues