As you integrate and extend the powerful .do platform using the .do Software Development Kit (SDK), security should be a paramount consideration. The .do SDK, the gateway to building custom solutions, automating workflows, connecting services, and leveraging agentic AI, provides immense power. With that power comes the responsibility to implement robust security measures.
This post outlines essential security best practices to ensure your integrations with the .do platform are secure and protected.
Your apiKey is the primary credential for authenticating your applications with the .do platform via the SDK. Treating it with the same care as a password is crucial.
Best Practices for API Key Management:
Never hardcode your API key directly in your application code. As shown in the code example below, while convenient during development, this is a major security vulnerability.
// AVOID THIS IN PRODUCTION CODE
const sdk = new DoSDK({
apiKey: 'YOUR_API_KEY_HARDCODED',
});
Use environment variables. Store your API key in environment variables on your server or in your deployment environment. This keeps the key separate from your codebase. Your application can then read the key from the environment variable at runtime.
import { DoSDK } from '@do/sdk';
const apiKey = process.env.DO_API_KEY; // Example for Node.js
if (!apiKey) {
console.error("DO_API_KEY environment variable is not set.");
process.exit(1);
}
const sdk = new DoSDK({
apiKey: apiKey,
});
// ... rest of your SDK usage
Implement Secrets Management. For more complex applications and environments, consider using a dedicated secrets management system (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc.). These systems provide secure storage, access control, and rotation capabilities for your API keys and other sensitive credentials.
Restrict API Key Permissions. The .do platform allows you to create API keys with specific permissions. Follow the principle of least privilege: only grant the permissions necessary for your application to function. Don't grant an API key full platform access if it only needs to trigger a specific workflow.
Rotate API Keys Regularly. Regularly rotate your API keys according to your organization's security policies. This minimizes the impact of a compromised key.
The security of your .do SDK integration is directly tied to the security of the environment where your application runs.
Key Considerations for Application Environment Security:
Keep Dependencies Updated: Regularly update the .do SDK and other third-party libraries used in your application. Updates often include crucial security patches that address known vulnerabilities.
Sanitize User Input: If your application accepts user input that is then used in conjunction with the .do SDK (e.g., parameters for triggering an agent), always sanitize and validate the input to prevent injection attacks and other malicious inputs.
Implement Proper Access Control: Ensure that only authorized users or systems can access your application that uses the .do SDK. Implement authentication and authorization mechanisms appropriate for your use case.
Monitor and Log Activity: Implement logging for your application's interactions with the .do SDK. Monitor these logs for suspicious activity or unexpected errors.
Secure Your Hosting Environment: Regardless of whether you're hosting on-premises or in the cloud, apply standard security practices to your hosting environment, including firewalls, intrusion detection, and regular security audits.
The .do platform's Agentic AI capabilities, accessible via the SDK, are powerful. However, it's vital to understand the security implications of the jobs and tasks agents can perform.
Security Best Practices for Agentic Workflows:
Carefully Define Agent Permissions: Ensure that the agents triggered by your application have only the permissions necessary to execute their intended tasks.
Validate Agent Inputs: If your application provides input to an agent, validate and sanitize this input rigorously.
Monitor Agent Execution: Keep track of agent execution logs and outputs to identify any unexpected behavior or potential security incidents.
Understand Data Handling by Agents: Be aware of how agents handle sensitive data and ensure that data is processed and stored securely according to your data governance policies.
The .do SDK communicates with the .do platform over HTTPS. Ensure that your application environment is configured to trust valid SSL/TLS certificates. Avoid disabling SSL/TLS validation, especially in production environments.
Periodically conduct security audits of your applications that integrate with the .do platform using the SDK. This includes reviewing your code, API key management, environment security, and logging practices.
By implementing these security best practices, you can significantly enhance the security and reliability of your applications built with the .do SDK, allowing you to confidently leverage the platform's integration and extension capabilities for building custom solutions, automating workflows, connecting your services, and harnessing agentic AI. Develop with ease, but develop securely!