Best Practices

Security is a top priority at We take several measures to ensure every implementation of AutoQL is completely secure.


Google Cloud Service Account

Whoever has the file with the details for your cloud service account can make an arbitrary number of tokens that our API will accept. Consider anyone with access to this file as having access to every database you have connected to AutoQL. Please follow the steps outlined in the JWT Tokens section of our docs to ensure this artifact is adequately secured.



We highly recommend that you always default to our auto-generated hashed resource IDs in the API to custom-set IDs. Sequential IDs can easily be incremented or decremented by malicious actors looking for adjacent data.


API Keys

API keys are low risk, as they are used primarily for routing and not for authentication. Just be careful to ensure that your key (whether it be a Staging or Production key) matches your intent. For more information on acquiring, managing, and using keys, visit the API Keys section of our docs.



JWTs can be intercepted and used to make API calls by malicious third parties. To avoid abuse, keep your key expiry window as short as possible, and resource authorities as terse as possible. We recommend a 10 minute expiry time and strongly caution against expiry times exceeding an hour. For more information on acquiring, managing, and using tokens, visit the JWT Tokens section of our docs.