theo_sk_... keys).
API Key Security
- Hashed at rest — keys are SHA-256 hashed before storage. We cannot recover a lost key; you must generate a new one.
- Prefixed for identification — all keys use the
theo_sk_prefix. - Scoped permissions — each key can be scoped to specific API capabilities (completions, skills, tools, connectors, billing).
- Per-key rate limits — rate limits are enforced per key based on your plan tier.
- Instant revocation — revoke any key immediately from the dashboard or API. Revoked keys are rejected within seconds.
- Key rotation — roll keys with a configurable grace period where both old and new keys work simultaneously.
Key Rotation
We recommend rotating API keys regularly:- Create a new key in the dashboard
- Update your environment variables / secrets manager
- Verify traffic is flowing through the new key
- Revoke the old key
Dashboard Authentication
The web dashboard supports email/password, social login, and optional multi-factor authentication (MFA). Session tokens are short-lived and scoped to the authenticated session.Transport Security
- All API traffic is encrypted via TLS 1.2+
- HSTS is enforced on all Theo domains
- Certificate transparency logs are monitored
Supply Chain: Verifying npm Packages
Every official Theo npm package (@hitheo/sdk, @hitheo/mcp, @hitheo/telegram, @hitheo/whatsapp) is published with npm provenance starting with version 0.1.4. Each tarball carries a cryptographically signed attestation linking the release back to the exact public CI workflow + git commit that produced it.
To verify before installing: