• NEVER commit .env.local or any file containing real API tokens
• Use .env.example as a template and copy to .env.local with real values
• The .gitignore file is configured to protect sensitive environment files

1. Separate Environments: Use different API keys for development, staging, and production
2. Regular Rotation: Rotate API keys regularly (monthly recommended)
3. Principle of Least Privilege: Use API keys with minimal required permissions
4. Monitor Usage: Regularly review API usage logs for suspicious activity

The LGL client includes a debug mode that logs request details:

# Debug mode should ONLY be used in development
client = new_client(api_key, debug=True)  # ⚠️ NEVER in production

Security Features:

• API keys are automatically masked in debug output
• Sensitive fields in request bodies are sanitized
• URLs with query parameters are sanitized

Important Notes:

• Debug mode may still expose some sensitive information
• NEVER enable debug mode in production environments
• Be cautious when sharing debug logs

The client includes built-in protection for:

• Sensitive field detection and masking
• Exception payload sanitization
• URL parameter protection

• Validate input data before sending to the API
• Use the client's built-in validation features
• Be cautious with user-generated content

• Exception messages automatically sanitize sensitive data
• URLs in exceptions have query parameters removed
• Request payloads are sanitized before inclusion in exceptions

• Don't log full exception details in production
• Use structured logging with appropriate log levels
• Monitor error patterns for security issues

• Debug mode is disabled (debug=False)
• API keys are stored securely (environment variables, key management service)
• No sensitive data in logs
• HTTPS is used for all API communications (enforced by default)
• Error handling doesn't expose sensitive information
• Dependencies are up to date

# Production environment should use secure credential storage
export LGL_API_TOKEN="your_production_token"

# Never use debug mode in production
# debug=False is the default

If you discover a security vulnerability in the LGL client:

1. DO NOT open a public issue
2. Contact the maintainers privately
3. Provide detailed information about the vulnerability
4. Allow time for a fix before public disclosure

• Keep the LGL client updated to the latest version
• Monitor security advisories for dependencies
• Test security updates in non-production environments first

The LGL client may handle personally identifiable information (PII):

• Email addresses, phone numbers, addresses
• Financial information (donation amounts, payment details)
• Personal details (names, birth dates, relationships)

• Follow your organization's data privacy policies
• Implement appropriate data retention policies
• Ensure compliance with applicable regulations (GDPR, CCPA, etc.)
• Use data minimization principles

• The LGL API handles financial information (donations, payments)
• Ensure compliance with financial regulations
• Implement appropriate audit trails

• Handle donor information with appropriate care
• Respect donor privacy preferences
• Implement data backup and recovery procedures