Security Best Practices

Security is a top priority for the Mira platform. This page covers recommendations for securely working with the API, handling data, and protecting your infrastructure.

API Key Security

API keys grant full access to your account. Treat them like passwords.

• Environment variables — Always store keys in environment variables (MIRA_API_KEY), never hardcode them in source code.
• Client-side code — Never include API keys in client-side JavaScript, mobile apps, or public repositories.
• Key rotation — Rotate API keys regularly. If a key is compromised, revoke it immediately from the dashboard.
• Least privilege — Create separate keys for different services and environments (development, production).

# .env file (добавьте в .gitignore / add to .gitignore)
MIRA_API_KEY=sk-mira-your-secret-key

# Python
import os
api_key = os.environ["MIRA_API_KEY"]

# Node.js
const apiKey = process.env.MIRA_API_KEY;

HTTPS & Encryption

All communication with the Mira API is conducted over HTTPS with TLS 1.2+ encryption. Unencrypted HTTP requests are automatically rejected.

• Transport encryption — All data between your application and Mira servers is encrypted in transit.
• Certificate validation — Ensure your HTTP client validates SSL/TLS certificates. Never disable certificate verification.

Data Handling

Mira does not use your API requests for model training. Your data remains yours.

• No training on your data — API requests are not used for training or improving models.
• Data retention — Request logs are retained for up to 30 days for monitoring and debugging, then deleted.
• Sensitive data — Avoid sending sensitive data (passwords, card numbers, personal data) to the API unless necessary.

Content Filtering

Mira includes automatic content moderation to prevent generation of harmful material. The system works in real time and covers:

• Input filtering — Requests are checked for malicious instructions before processing.
• Output filtering — Responses are checked for potentially harmful or inappropriate content.

Rate Limiting

Rate limits protect the platform from abuse and ensure fair resource allocation.

• Per-key limits — Each API key has individual limits based on the subscription plan.
• Response headers — Monitor X-RateLimit-Remaining and Retry-After headers to manage request rate.
• Retry strategy — Implement exponential backoff when receiving a 429 error.

Authentication Security

Mira Code CLI uses device code flow for authentication, eliminating the need to enter passwords in the terminal.

• Device code flow — Authentication happens via the browser — the CLI only receives a JWT token after confirmation.
• JWT handling — Tokens are stored securely on disk and automatically refreshed when they expire.
• Logout — Use mira auth logout to remove stored tokens.

Infrastructure

The Mira platform is hosted in secure data centers with multi-layered protection.

• DDoS protection — Active DDoS protection at the network and application level.
• Monitoring — 24/7 system monitoring with automatic alerting for suspicious activity.
• Backups — Regular data backups with geographic distribution.

Responsible AI

Mira follows responsible AI principles including content safety and bias mitigation.

• Content safety — Models are trained to refuse generation of harmful, illegal, or dangerous content.
• Bias mitigation — Ongoing work to identify and reduce biases in model responses.

Security Checklist

Use this checklist to verify the security of your Mira integration:

Reporting Vulnerabilities

If you discover a security vulnerability in the Mira platform, please report it to:

security@vmira.ai

We take every security report seriously and will respond within 48 hours. Please do not disclose vulnerability information publicly until it has been resolved.