Skip to content

Security Best Practices

Learn how to secure your BlokMCP setup and manage credentials safely.

Token Security

Management Token Protection

DO:

  • Store tokens in environment variables
  • Use secret management services
  • Rotate tokens quarterly
  • Audit token usage regularly

DON'T:

  • Commit tokens to git
  • Share tokens in chat/email
  • Use production tokens in development
  • Give tokens more permissions than needed

API Key Management

# Good practice
- Separate API keys for dev/staging/prod
- Descriptive key names (e.g., "blokmcp-production-2024")
- Regular rotation schedule
- Track which keys are used where

Permission Levels

Minimum Necessary Access

Grant only the permissions required for each use case:

Content Editor:

  • Create/edit stories
  • Upload assets
  • No component schema changes
  • No space settings

Developer:

  • Full component access
  • Limited story access
  • No user management
  • No billing changes

Admin:

  • Full access (use sparingly)

Credential Rotation

Regular Rotation Schedule

Monthly: Review active API keys
Quarterly: Rotate all management tokens
Annually: Full security audit
Immediately: Rotate if compromise suspected

Rotation Process

1. Generate new API key in dashboard
2. Update environment variables
3. Test new key works correctly
4. Deactivate old key
5. Monitor for any failures
6. Delete old key after 7 days

Access Audit

Regular Reviews

Monthly checklist:
- Review all active API keys
- Check which users have access
- Verify permissions are still appropriate
- Remove inactive collaborators
- Check audit logs for suspicious activity

Incident Response

If Token is Compromised

Immediate actions:
1. Revoke compromised token immediately
2. Generate new token
3. Review audit logs for unauthorized activity
4. Notify affected team members
5. Update all systems using old token
6. Document incident
7. Review how compromise occurred
8. Implement preventive measures

Best Practices Summary

  1. Never commit credentials - Use environment variables
  2. Rotate regularly - Quarterly at minimum
  3. Least privilege - Grant minimum necessary permissions
  4. Audit frequently - Monthly access reviews
  5. Secure storage - Use secret management tools
  6. Monitor usage - Watch for unusual activity
  7. Document access - Track who has what access
  8. Respond quickly - Immediate action on suspected compromise

Questions about security? Ask Claude to help review your security configuration!

BlokMCP logo
BlokMCP

Give your AI assistants safe, structured access to Storyblok so content teams can move faster.

Status

Operational insights

Monitor usage, limits, and connection health in your dashboard.

© 2026 BlokMCP. All rights reserved.

Built for teams who ship content with AI.