> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sitecopilot.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

* **/admin-config** is not public; it's only available when authenticated in the Dashboard. Do not expose it client-side.
* **Tokens**: treat all tokens as secrets; never embed them in public JS. Rotate regularly; apply per-tenant scoping.
* **Notifications**: messages come from the official Cloud AI endpoint; sanitize/escape any UI rendering and reject untrusted HTML.
* **Settings**: validate any external URLs server-side; enforce CSP/allowlists for iframes.
* **Rate limiting & audit**: apply 429s where appropriate and log admin actions (tenant create/update/delete, token issuance).
