Protect your account, API keys, and projects with these essential security practices.
12 min read Essential Updated July 2025
Account Security
Use a Strong, Unique Password
Your Vigthoria account gives access to powerful AI tools. Protect it with a strong password that you don't use anywhere else.
Strong Password Tips
Use at least 16 characters
Mix uppercase, lowercase, numbers, and symbols
Consider using a passphrase: "correct-horse-battery-staple"
Use a password manager (1Password, Bitwarden, etc.)
Enable Two-Factor Authentication (2FA)
2FA adds a crucial extra layer of security. Even if your password is compromised, attackers can't access your account without the second factor.
To enable 2FA:
Go to Account Settings → Security
Click Enable Two-Factor Authentication
Scan the QR code with your authenticator app
Save your backup codes in a secure location
Important
Store your backup codes securely offline. If you lose your authenticator device and don't have backup codes, you may lose access to your account.
Monitor Account Activity
Regularly check your account for suspicious activity:
Review login history in Account Settings → Security → Login History
Check for unrecognized devices or locations
Set up email alerts for new device logins
API Key Management
API keys are like passwords for your applications. Treat them with the same level of care.
Security Severity Levels
CRITICAL
Key exposed publicly
HIGH
Key in code repository
MEDIUM
Key shared with team
LOW
Key in .env locally
Never Commit Keys to Version Control
Never Do This
// ❌ NEVER hardcode API keys in your code
const apiKey = "vg-live-sk-abc123def456...";
Do This Instead
// ✅ Use environment variables
const apiKey = process.env.VIGTHORIA_API_KEY;
// In your .env file (add .env to .gitignore!)
VIGTHORIA_API_KEY=vg-live-sk-abc123def456...
Set Up .gitignore Properly
.gitignore
# Environment files
.env
.env.local
.env.production
.env.*.local
# API keys and secrets
*.pem
*.key
secrets.json
config/secrets.yml
Use Different Keys for Different Environments
Development: Use test/sandbox keys with limited permissions
Staging: Use separate keys that can be rotated frequently
Production: Use live keys with strict access controls
Rotate Keys Regularly
Even if you haven't had a security incident, rotating keys periodically limits the damage if a key is ever compromised without your knowledge.
Rotate production keys every 90 days
Rotate immediately if you suspect a leak
Keep track of where each key is used before rotating
If a Key is Exposed
Revoke immediately — Go to Account Settings → API Keys → Revoke
Generate a new key
Update all applications using the old key
Review usage logs for unauthorized access
Investigate the leak to prevent recurrence
Code Security with AI
When using AI-generated code, you're responsible for its security. Here's how to stay safe.
Review All AI-Generated Code
AI can generate insecure code patterns. Always review for:
SQL Injection: Ensure queries use parameterized statements
XSS Vulnerabilities: Check that user input is properly escaped
Authentication Flaws: Verify auth logic is correct
Hardcoded Secrets: Remove any placeholder credentials
Be Careful What You Share with AI
Never Share with AI
Real API keys, passwords, or secrets
Production database credentials
Customer personal data (PII)
Proprietary algorithms you want to keep secret
Security vulnerability details before patching
Safe to Share
Code structure and patterns (with secrets removed)
Error messages and stack traces (sanitized)
General architecture questions
Sample/mock data instead of real data
Use Placeholder Values
Safe Example
// When sharing code with AI, replace real values:
const config = {
apiKey: "YOUR_API_KEY_HERE", // ✅ Placeholder
dbHost: "db.example.com", // ✅ Fake host
adminEmail: "admin@example.com" // ✅ Example domain
};
Data Privacy
Understanding Data Handling
Vigthoria takes data privacy seriously:
Your prompts and code are processed to provide responses
We don't use your data to train models without consent
Enterprise plans offer additional data isolation options