Skip to main content
Securing your Nomiq workspace is the responsibility of your workspace Admins, and Nomiq gives you the controls to do it thoroughly. From protecting the API keys that power your integrations to enforcing organization-wide authentication through your identity provider, the settings in this section reduce both accidental exposure and deliberate misuse. Read through this page before you go live with any production integration.

API Key Security

Nomiq issues API keys that grant programmatic access to your workspace’s generation engine and asset library. Because an exposed key lets anyone bill charges to your account and read your private brand assets, treat it with the same care as a password. Best practices:
  • Store keys in environment variables, never in source code. Use your hosting provider’s secret management system (for example, Vercel Environment Variables, AWS Secrets Manager, or a .env file excluded from version control).
  • Never commit keys to a repository. Even in a private repo, keys embedded in code are a significant risk if the repo is ever made public or if a contributor’s machine is compromised.
  • Create one key per integration. If you have a staging environment and a production environment, generate a separate key for each. This way, rotating a compromised key does not affect other integrations.
  • Set a hard API cap. In Settings > Billing, set a monthly generation cap. If a key leaks, the cap limits the financial damage while you respond.
Never share your Nomiq API key in client-side code, public repositories, Slack messages, or support tickets. If you suspect a key has been exposed, rotate it immediately from Settings > Security > API Keys. Rotation invalidates the old key within seconds—any in-flight requests using the old key will fail, so update your environment variables promptly.

Rotating an API Key

  1. Go to Settings > Security > API Keys.
  2. Find the key you want to rotate and click Rotate.
  3. Copy the new key value displayed in the modal—Nomiq shows it only once.
  4. Update every environment or service that uses the old key before closing the modal.
  5. Click Confirm Rotation. The old key is revoked immediately.

Workspace Access Control

Role-based access control (RBAC) is your first line of defense against accidental changes to live brand assets. Follow the principle of least privilege: assign the Viewer role to anyone who only needs to read guidelines or download exports, and reserve Editor and Admin access for people who actively work on brand generation. You can enforce Two-Factor Authentication (2FA) for all workspace members by going to Settings > Security and toggling Require 2FA for all members. Once enabled, any member who has not set up 2FA is locked out at their next login until they complete enrollment. This is strongly recommended for agencies working with pre-launch or confidential client brands. For a full breakdown of what each role can and cannot do, see the Collaboration page.

Single Sign-On (SSO)

SSO is available on the Agency plan. It lets you require that all workspace members authenticate through your organization’s identity provider (IdP) instead of Nomiq’s email/password login. Nomiq supports SAML 2.0 and OIDC, which are compatible with Okta, Google Workspace, Microsoft Azure AD, and most enterprise IdPs.

Configuring SSO with Okta

1

Request SSO provisioning

Contact your Nomiq Account Executive or email support to enable the SSO feature flag on your Agency workspace. They will confirm within one business day.
2

Add Nomiq to Okta

In the Okta Admin Console, go to Applications > Create App Integration and select SAML 2.0. For the Single Sign-On URL and Audience URI, use the values shown in Nomiq under Settings > Security > SSO Configuration.
3

Copy the IdP Metadata URL

After saving the Okta app, open the Sign On tab and copy the Identity Provider Metadata URL.
4

Apply SSO to your Nomiq workspace

In Nomiq, navigate to Settings > Security > SSO. Paste the IdP Metadata URL into the Metadata URL field and click Enforce SSO.
5

Test the login flow

Open a private browser window and navigate to the Nomiq login page. Enter an email address from your organization’s domain. You should be redirected automatically to Okta for authentication. On success, Okta returns you to the Nomiq dashboard. If the redirect fails, verify that the Nomiq Audience URI in Okta matches exactly what is shown in Nomiq’s SSO settings.
When you enforce SSO, Nomiq sends each Admin a one-time Break Glass recovery code by email. Store this code securely offline. If your IdP goes down or is misconfigured and locks you out, use the Break Glass code on the Nomiq login page to bypass SSO and fix the configuration.

Data Handling and Compliance

Nomiq is SOC 2 Type II certified and encrypts all data at rest using AES-256 and all data in transit using TLS 1.2+. Nomiq maintains a 99.99% uptime SLA for paid plans. Your brand data belongs to you. Nomiq does not use your private workspace projects—prompts, generated logos, color palettes, or brand names—to train or fine-tune any underlying AI model. The AI engine processes your session data in memory for inference only and does not persist it for model improvement. Data residency defaults to US-based infrastructure. Contact your Account Executive if your organization requires EU data residency under GDPR.

Webhook Signature Verification

If you use Nomiq webhooks to receive real-time notifications when a generation completes or an asset is exported, verify the X-Nomiq-Signature header on every incoming request. This prevents attackers from sending forged payloads to your endpoint.
Store your webhook secret in an environment variable—never hardcode it. Rotate the secret from Settings > Security > Webhooks if you suspect it has been exposed.

Collaboration

Review role-based access controls to complement your security configuration.

Billing & Plans

Upgrade to Agency to unlock SSO and priority API access.

API Reference

Learn how to authenticate API requests and manage key rotation programmatically.

Projects & Assets

Understand how your brand assets are stored and protected inside the workspace.