Security & API Keys

Your developer account uses API keys for programmatic access — to the CLI, CI/CD pipelines, and the Developer REST API. This page explains how keys work and best practices for keeping them secure.

API keys

API keys are long-lived credentials scoped to your developer account. They are used by:

The lumio CLI (lumio login --token <key>)
CI/CD pipelines running lumio deploy
Direct calls to the Developer REST API

Creating a key

Open the extension dashboard
Navigate to Account → Security → API Keys
Click New API Key
Enter a label (e.g. ci-github-actions)
Copy the key — it is shown only once

Keys are prefixed with lm_dev_ and are 64 characters long.

Key permissions

All API keys inherit the permissions of the account that created them. There is no per-key scope restriction. If you need limited access for a specific use case, create a separate developer sub-account (see Teams).

Revoking a key

Revoke a key immediately from Account → Security → API Keys → Revoke. Revocation takes effect within 30 seconds across all API regions. Revoked keys cannot be restored.

Rotation recommendation

Rotate API keys every 90 days or immediately when:

A team member with access to the key leaves
You suspect the key may have been exposed
You rotate secrets in your CI/CD platform

Teams and shared access

Multiple developers can collaborate on an extension via the team feature. Go to Account → Team to invite members. Each team member authenticates with their own credentials — shared passwords or shared API keys are not needed or recommended.

Team roles:

Role	Can deploy	Can publish	Can manage billing	Can invite members
Owner	Yes	Yes	Yes	Yes
Admin	Yes	Yes	No	Yes
Member	Yes	No	No	No

Two-factor authentication

Enable 2FA for your account under Account → Security → Two-Factor Authentication. Supported methods:

TOTP — any authenticator app (Google Authenticator, Authy, 1Password)
Passkey — hardware security key or platform authenticator

2FA is required for all accounts that have published paid extensions. It is strongly recommended for all accounts.

Audit log

Every authentication event, deployment, and settings change is logged in the audit log under Account → Security → Audit Log. Log entries include:

Field	Description
`timestamp`	UTC timestamp of the event
`event`	Event type (e.g. `api_key.created`, `extension.deployed`)
`actor`	Email or API key label
`ip`	Source IP address
`result`	`success` or `failure`

Audit logs are retained for 90 days.

Responsible disclosure

If you discover a security vulnerability in the Lumio platform, report it to security@lumio.vision. Include a description of the issue, steps to reproduce, and impact assessment. We follow a 90-day disclosure timeline and offer recognition in our security hall of fame for valid reports.

Do not report vulnerabilities via GitHub issues or the public support channel.

Security best practices

Store API keys in your CI/CD secret store (GitHub Actions secrets, GitLab CI variables), never in source code
Use environment-specific keys — a separate key for staging vs production deployments
Enable 2FA on your developer account
Review the audit log monthly for unexpected access
Revoke keys that are no longer in use
Never share your API key in support tickets, Discord, or forums — Lumio staff will never ask for your key

API keys​

Creating a key​

Key permissions​

Revoking a key​

Rotation recommendation​

Teams and shared access​

Two-factor authentication​

Audit log​

Responsible disclosure​

Security best practices​