Logo IconGuided Mind
v2.4Sign In
Python SDK

Security

Protecting your API key and running the GuidedMind SDK safely in production.

API Key Management

Your API key is a secret credential with full access to your GuidedMind project. Treat it like a database password.

Do
  • Store the key in a GUIDEDMIND_API_KEY environment variable
  • Use a secrets manager in production (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager)
  • Use .env files locally with .gitignore to exclude them from commits
  • Rotate keys regularly and immediately after any suspected exposure
  • Create separate keys per environment (dev / staging / production)
Don't

  • Hardcode keys in source code or configuration files
  • Commit keys to version control — even in private repos
  • Share keys across environments or team members
  • Log the raw key or include it in error messages
    • Expose keys in client-side JavaScript or mobile app binaries

Correct Pattern

# ✅ Read from environment — the SDK does this automatically
from guidedmind import Client
 
client = Client()  # reads GUIDEDMIND_API_KEY
 
# ✅ Explicit env lookup — acceptable
import os
client = Client(api_key=os.environ["GUIDEDMIND_API_KEY"])
 
# ❌ Never do this
client = Client(api_key="gm_live_abc123...")

Using python-dotenv (Development Only)

from dotenv import load_dotenv
load_dotenv()  # loads .env into os.environ
 
from guidedmind import Client
client = Client()
# .env — never commit this file
GUIDEDMIND_API_KEY=gm_live_your_key_here
# .gitignore
.env
.env.local
.env.*.local

Built-in Security Features

The SDK enforces several security properties automatically:

  • Key format validation — The client rejects malformed keys at initialisation time, before any network request is made.
  • Key redaction in logs — Any log output or error message that would contain your API key is automatically redacted to gm_live_***.
  • HTTPS enforcement — The client raises ConfigurationError if base_url uses http:// instead of https://. TLS 1.2+ is required.
  • Input validation — All parameters are validated by Pydantic before the request is sent, preventing malformed data from reaching the API.
  • No sensitive data in errors — Exception messages are sanitised — they never include request bodies or full response payloads that might contain user data.

Secrets Managers

AWS Secrets Manager

import boto3
import json
from guidedmind import Client
 
def get_client() -> Client:
    sm = boto3.client("secretsmanager", region_name="us-east-1")
    secret = sm.get_secret_value(SecretId="guidedmind/api-key")
    key = json.loads(secret["SecretString"])["api_key"]
    return Client(api_key=key)

HashiCorp Vault

import hvac
from guidedmind import Client
 
def get_client() -> Client:
    vault = hvac.Client(url="https://vault.example.com")
    secret = vault.secrets.kv.v2.read_secret_version(path="guidedmind")
    key = secret["data"]["data"]["api_key"]
    return Client(api_key=key)

Network Security

If your infrastructure requires outbound traffic restrictions, allow the following:

EndpointPortProtocol
api.guidedmind.ai443HTTPS / TLS 1.2+

The SDK does not make connections to any other external hosts.

If you suspect your API key has been compromised, revoke it immediately from the GuidedMind dashboard under Settings → API Keys, then generate a new one. Revocation takes effect within 60 seconds.

← PreviousError HandlingNext →API Reference