> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nomiq.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Security, SSO, and Data Compliance in Nomiq Workspace

> Protect your Nomiq workspace with API key best practices, SSO configuration, webhook verification, and data compliance guidance for administrators.

Securing your Nomiq workspace is the responsibility of your workspace Admins, and Nomiq gives you the controls to do it thoroughly. From protecting the API keys that power your integrations to enforcing organization-wide authentication through your identity provider, the settings in this section reduce both accidental exposure and deliberate misuse. Read through this page before you go live with any production integration.

## API Key Security

Nomiq issues API keys that grant programmatic access to your workspace's generation engine and asset library. Because an exposed key lets anyone bill charges to your account and read your private brand assets, treat it with the same care as a password.

**Best practices:**

* **Store keys in environment variables**, never in source code. Use your hosting provider's secret management system (for example, Vercel Environment Variables, AWS Secrets Manager, or a `.env` file excluded from version control).
* **Never commit keys to a repository.** Even in a private repo, keys embedded in code are a significant risk if the repo is ever made public or if a contributor's machine is compromised.
* **Create one key per integration.** If you have a staging environment and a production environment, generate a separate key for each. This way, rotating a compromised key does not affect other integrations.
* **Set a hard API cap.** In **Settings > Billing**, set a monthly generation cap. If a key leaks, the cap limits the financial damage while you respond.

<Warning>
  Never share your Nomiq API key in client-side code, public repositories, Slack messages, or support tickets. If you suspect a key has been exposed, rotate it immediately from **Settings > Security > API Keys**. Rotation invalidates the old key within seconds—any in-flight requests using the old key will fail, so update your environment variables promptly.
</Warning>

### Rotating an API Key

1. Go to **Settings > Security > API Keys**.
2. Find the key you want to rotate and click **Rotate**.
3. Copy the new key value displayed in the modal—Nomiq shows it only once.
4. Update every environment or service that uses the old key before closing the modal.
5. Click **Confirm Rotation**. The old key is revoked immediately.

```bash theme={null}
# Set your API key as an environment variable (never hardcode it)
export NOMIQ_API_KEY="nm_live_xxxxxxxxxxxxxxxxxxxx"

# Reference it in your application code
curl https://api.nomiq.ai/v1/generate \
  -H "Authorization: Bearer $NOMIQ_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"project_id": "proj_abc123", "prompt": "minimalist tech startup"}'
```

## Workspace Access Control

Role-based access control (RBAC) is your first line of defense against accidental changes to live brand assets. Follow the principle of least privilege: assign the **Viewer** role to anyone who only needs to read guidelines or download exports, and reserve **Editor** and **Admin** access for people who actively work on brand generation.

You can enforce **Two-Factor Authentication (2FA)** for all workspace members by going to **Settings > Security** and toggling **Require 2FA for all members**. Once enabled, any member who has not set up 2FA is locked out at their next login until they complete enrollment. This is strongly recommended for agencies working with pre-launch or confidential client brands.

For a full breakdown of what each role can and cannot do, see the [Collaboration](/workspace/collaboration) page.

## Single Sign-On (SSO)

SSO is available on the **Agency plan**. It lets you require that all workspace members authenticate through your organization's identity provider (IdP) instead of Nomiq's email/password login. Nomiq supports **SAML 2.0** and **OIDC**, which are compatible with Okta, Google Workspace, Microsoft Azure AD, and most enterprise IdPs.

### Configuring SSO with Okta

<Steps>
  <Step title="Request SSO provisioning">
    Contact your Nomiq Account Executive or email support to enable the SSO feature flag on your Agency workspace. They will confirm within one business day.
  </Step>

  <Step title="Add Nomiq to Okta">
    In the Okta Admin Console, go to **Applications > Create App Integration** and select **SAML 2.0**. For the **Single Sign-On URL** and **Audience URI**, use the values shown in Nomiq under **Settings > Security > SSO Configuration**.
  </Step>

  <Step title="Copy the IdP Metadata URL">
    After saving the Okta app, open the **Sign On** tab and copy the **Identity Provider Metadata** URL.
  </Step>

  <Step title="Apply SSO to your Nomiq workspace">
    In Nomiq, navigate to **Settings > Security > SSO**. Paste the IdP Metadata URL into the **Metadata URL** field and click **Enforce SSO**.
  </Step>

  <Step title="Test the login flow">
    Open a private browser window and navigate to the Nomiq login page. Enter an email address from your organization's domain. You should be redirected automatically to Okta for authentication. On success, Okta returns you to the Nomiq dashboard. If the redirect fails, verify that the Nomiq Audience URI in Okta matches exactly what is shown in Nomiq's SSO settings.
  </Step>
</Steps>

<Note>
  When you enforce SSO, Nomiq sends each Admin a one-time **Break Glass** recovery code by email. Store this code securely offline. If your IdP goes down or is misconfigured and locks you out, use the Break Glass code on the Nomiq login page to bypass SSO and fix the configuration.
</Note>

## Data Handling and Compliance

Nomiq is **SOC 2 Type II certified** and encrypts all data at rest using **AES-256** and all data in transit using **TLS 1.2+**. Nomiq maintains a **99.99% uptime SLA** for paid plans.

**Your brand data belongs to you.** Nomiq does not use your private workspace projects—prompts, generated logos, color palettes, or brand names—to train or fine-tune any underlying AI model. The AI engine processes your session data in memory for inference only and does not persist it for model improvement.

Data residency defaults to US-based infrastructure. Contact your Account Executive if your organization requires EU data residency under GDPR.

## Webhook Signature Verification

If you use Nomiq webhooks to receive real-time notifications when a generation completes or an asset is exported, verify the `X-Nomiq-Signature` header on every incoming request. This prevents attackers from sending forged payloads to your endpoint.

```typescript theme={null}
import { createHmac, timingSafeEqual } from "crypto";

function verifyNomiqWebhook(
  rawBody: Buffer,
  signatureHeader: string,
  webhookSecret: string
): boolean {
  const expected = createHmac("sha256", webhookSecret)
    .update(rawBody)
    .digest("hex");

  const trusted = Buffer.from(`sha256=${expected}`, "utf8");
  const received = Buffer.from(signatureHeader, "utf8");

  // Use timingSafeEqual to prevent timing attacks
  if (trusted.length !== received.length) return false;
  return timingSafeEqual(trusted, received);
}
```

Store your webhook secret in an environment variable—never hardcode it. Rotate the secret from **Settings > Security > Webhooks** if you suspect it has been exposed.

<CardGroup cols={2}>
  <Card title="Collaboration" icon="users" href="/workspace/collaboration">
    Review role-based access controls to complement your security configuration.
  </Card>

  <Card title="Billing & Plans" icon="credit-card" href="/workspace/billing-and-plans">
    Upgrade to Agency to unlock SSO and priority API access.
  </Card>

  <Card title="API Reference" icon="code" href="/api-reference/overview">
    Learn how to authenticate API requests and manage key rotation programmatically.
  </Card>

  <Card title="Projects & Assets" icon="folder-tree" href="/workspace/projects-and-assets">
    Understand how your brand assets are stored and protected inside the workspace.
  </Card>
</CardGroup>
