Security Architecture
Understand Skytells' secure-by-design principles — encryption, tenant isolation, API key scoping, audit logging, and your client-side security responsibilities.
What you'll be able to do after this module
Articulate the security model of your AI integration to your security team, customers, or enterprise buyers — and implement the client-side hardening that Skytells expects from production integrations.
Skytells security principles
| Principle | What it means for you |
|---|---|
| Zero trust | Every API request is independently authenticated — no session tokens or implicit permissions |
| Least privilege | API keys can be scoped to minimum required operations |
| Encryption everywhere | TLS 1.3 in transit, AES-256 at rest — enforced, not optional |
| No training on your data | Your prompts and outputs are never used to train models by default |
Authentication deep dive
How API keys work
Skytells uses the x-api-key header for all authentication. Keys are:
- Scoped — restricted to specific operations (predictions-only, read-only, etc.)
- Rotatable — revoke and reissue with zero application downtime
- Audited — every use is logged: key ID, timestamp, IP, operation, latency
- Rate-limited — per-key limits prevent a single key from causing platform-wide abuse
Recommended key scopes by environment
| Environment | Grant these scopes | Why |
|---|---|---|
| Production backend | predictions:create, predictions:read | Minimal required |
| Analytics dashboard | predictions:read, models:read | Read-only; no generation |
| Monitoring/ops | predictions:read | Audit without side effects |
| Admin ops | Full access | Restrict to allowlisted IPs |
Never use a full-access key in automated systems. If an automation is compromised, a scoped key limits the blast radius.
Network security
TLS enforcement
All communication with api.skytells.ai and edge.skytells.ai requires TLS 1.2+. TLS 1.3 is used by default. HTTP connections are rejected.
Your SDK and requests/fetch validate TLS certificates automatically. Don't disable certificate validation:
import ssl
import urllib.request
# Correct: default context validates certificates
context = ssl.create_default_context()
req = urllib.request.Request(
"https://api.skytells.ai/v1/models",
headers={"x-api-key": api_key}
)
with urllib.request.urlopen(req, context=context) as resp:
data = resp.read()Never disable TLS certificate validation (rejectUnauthorized: false, verify=False, ssl._create_unverified_context()). This defeats all transport security and exposes you to man-in-the-middle attacks.
IP allowlisting (Enterprise)
Enterprise customers can restrict API key usage to specific IP CIDR ranges. A stolen key used from an unauthorized IP address is automatically rejected — even with a valid key.
Contact Support to configure IP allowlisting for your organization.
Data isolation
Skytells operates a fully multi-tenant platform with hard data boundaries:
| Isolation layer | How it works |
|---|---|
| Compute | Each prediction runs in an isolated execution environment — no shared memory with other tenants |
| Storage | Outputs are stored in per-account isolated buckets — not accessible by prediction ID alone |
| Credentials | API keys are account-scoped — cross-account access is impossible by design |
| Logs | Usage logs are account-scoped — your data is never visible to other tenants |
Data retention defaults
| Data type | Default retention | Deletable? |
|---|---|---|
| Prediction inputs | 30 days | Yes |
| Prediction outputs (CDN) | 24 hours | Yes |
| Usage/billing logs | 90 days | Enterprise-configurable |
| Audit logs | 1 year | No (compliance) |
Enterprise customers can configure shorter retention periods and opt-in to zero-retention mode where inputs are deleted immediately after generation.
Audit logging
Skytells maintains a full audit log of all API key operations. You can query your audit log via the Dashboard or API:
- API key creation, rotation, and revocation
- Every prediction: key ID, IP address, model, status, latency, cost
- Webhook delivery attempts and outcomes
- Account configuration changes
What to log on your side
Your application should also maintain its own audit log:
import json
import logging
from datetime import datetime, timezone
logger = logging.getLogger("predictions.audit")
def log_prediction_created(
user_id: str,
prediction_id: str,
model: str,
ip_address: str,
prompt_hash: str, # hash the prompt, not the raw text, for PII protection
) -> None:
logger.info(json.dumps({
"event": "prediction.created",
"ts": datetime.now(timezone.utc).isoformat(),
"user_id": user_id,
"prediction_id": prediction_id,
"model": model,
"ip": ip_address,
"prompt_hash": prompt_hash, # SHA-256 of the prompt
}))Log prompt hashes, not raw prompts. Raw prompts may contain PII (names, addresses, personal details) entered by users. Hashing allows correlation and abuse detection without storing sensitive text.
Security checklist for enterprise deployments
Summary
Your integration meets enterprise security standards. You understand the platform's security model and have hardened your own implementation.
Key points:
- Skytells enforces TLS 1.3, AES-256 at rest, and hard tenant isolation by default
- Use scoped API keys — match permissions to the minimum required
- Log prediction events on your side with hashed prompts (never raw PII)
- Enterprise customers get IP allowlisting, configurable retention, and SSO
Next: data privacy, GDPR considerations, and user data deletion.
Enterprise & Compliance
Deploy AI safely and at scale. Security architecture, data privacy, governance frameworks, and responsible AI practices for Skytells.
Privacy & Data Governance
Understand what data Skytells stores, data retention controls, your rights as a data controller, and GDPR/CCPA compliance.