Security model
How Sluicio secures the keys that authenticate telemetry ingestion and programmatic API/MCP access — storage, rotation, and handling.
This page covers how Sluicio secures the keys that authenticate access: the ingest keys used to send telemetry, and the tokens used for programmatic API and MCP access. It reflects the actual implementation, not aspirations.
Ingest keys
Section titled “Ingest keys”The OTLP ingest endpoint authenticates every batch against a per-org ingest
key. Keys are managed in Settings → Ingestion, hashed at rest, and can be
rotated or revoked without redeploying senders. A request with a missing or
invalid key is rejected with 401.
API & MCP tokens
Section titled “API & MCP tokens”Tokens for the HTTP API and the MCP endpoint are long, high-entropy random strings, stored as SHA-256 hashes at rest — a fast hash is appropriate for high-entropy secrets, since there’s nothing low-entropy to brute-force. The plaintext is shown exactly once at creation and never again, and any token can be revoked at any time.