- /admin-config is not public; it’s only available when authenticated in the Dashboard. Do not expose it client-side.
- Tokens: treat all tokens as secrets; never embed them in public JS. Rotate regularly; apply per-tenant scoping.
- Notifications: messages come from the official Cloud AI endpoint; sanitize/escape any UI rendering and reject untrusted HTML.
- Settings: validate any external URLs server-side; enforce CSP/allowlists for iframes.
- Rate limiting & audit: apply 429s where appropriate and log admin actions (tenant create/update/delete, token issuance).
API Reference – Tenant (Site APIs)