> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flumes.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication & Security

> Keep your data – and your users – safe.

## API Keys

Generate and manage keys in the [Flumes dashboard](https://app.flumes.ai). Keys are **secret** – never commit them to Git.

```text theme={null}
Authorization: Bearer FLUMES_SK_abc123
```

## Headers & scoping

| Header            | Purpose                                           |
| ----------------- | ------------------------------------------------- |
| `X-Flumes-Agent`  | Scope traffic to a specific agent within your org |
| `Idempotency-Key` | Ensure safe retries for writes                    |

You can combine headers with request fields like `entity_id`, `namespace`, and `tags` for fine-grained tenancy. Org is inferred from the API key; set `namespace` per app/env.

### Scopes & limits

* Keys can be scoped as `read | write | admin`.
* Rate-limit headers are returned on requests: `X-RateLimit-Remaining`, `X-RateLimit-Reset`.
* On retries for writes, always include a stable `Idempotency-Key` to avoid duplicates.

## Transport security

All requests go through **TLS 1.2+**. We terminate TLS at cloud load balancers before routing to the service.

## Data storage

* Hot memory lives in encrypted EBS volumes (AES-256).<br />
* Backups are encrypted at rest and in transit.

<Warning>
  We are **not** HIPAA compliant yet. Reach out if you need custom BAA.
</Warning>

## Privacy & redaction

* `policy.pii_redaction=auto|off` controls masking at assemble time.
* Each memory has `sensitivity` (`auto|pii`) so you can mark sensitive items explicitly.
