Skip to main content

Securing your key-pair and tokens

Overview​

Key-pair authentication offers more secure initialization for your SDK instance, but in order for this to work, your tokens must expire quickly and your private key must be kept secret. If a bad actor is able to reuse your tokens or mint their own tokens using your private key, they could potentially use these tokens to instantiate your SDK instance without your permission.

In order to prevent your tokens from being reused, we will implement certain token security measures outlined in the next section. In order to make sure that your private key does not become compromised, please store this key in a secure file on your server and ensure that only trusted parties have access to this file. Secure storage of your key-pair should prevent your private key from being leaked, but in the event that your private key does become compromised, please follow the guide below to rotate your key-pair.

Our token security measures​

In order to prevent a bad actor from using or reusing an intercepted token, we will:

  1. Enforce a time-to-live (TTL) of 30 seconds maximum on all tokens we receive to instantiate an SDK instance.

  2. Blacklist any token that has already been used to instantiate an SDK instance and prevent this token from instantiating another SDK instance, even if if the token has not expired yet.

However, please note that these security measures will only work if your private key is not compromised. If your key becomes compromised, a bad actor can mint their own tokens, and you will need to follow the steps below to resolve the issue.

Detect a compromised key-pair​

Custom SDK instances have partner ownership enabled, meaning videos created with your SDK are saved to your own partner workspace. If you notice an unusually high volume of videos being added to your partner workspace that you do not expect or recognize, this may be a sign that your private key has been compromised.

Rotate your key-pair​

If your private key becomes compromised, one method you can use to stop the key from being exploited is to rotate your key-pair. This will generate a new public and private key, and you will be responsible for replacing your private key in your own server. In order to rotate your key-pair, you can follow the steps below:

  1. Navigate to your Loom Developer Portal.

  2. Locate the SDK app whose key-pair has been compromised and click on the Update button next to it.

  3. A page with the SDK app’s details will open, and at the bottom, there will be a button that says Create private key. Click this button to generate a new key-pair.

  4. Securely store your new private key and replace your old private key with your new private key on your server.

  5. Go back to the page opened in step 2 and click the Delete private key button next to the compromised key.

Please note that if you delete the old private key in your developer portal before replacing it with the new private key in your server, your SDK will be unable to instantiate until you add the new private key to your server.