Skip to main content
Trevi home page
Guides
Support
Dashboard
Dashboard
Search...
Navigation
Security
Security overview
Search...
⌘K
Documentation
Overview
Introduction
Core entities
MCP primitives
Getting started
Import your first spec
Build your first server
Create your first app
Test tools with Inspector
Deploy and promote
Specs
Spec requirements
Import or update a spec
Validate a spec
Intelligence configuration
Spec drift detection
Generate docs from a spec
Servers
Server Builder modes
Tool selection strategies
Long running tools
Prompts and resources
Server health and status
Server logs
Server chat
Saved test credentials
Custom domains
Apps
App types
App builder
Capabilities view
Workflows
App deployments and logs
App settings and lifecycle
UI and SDK
SDK quickstart
Use tools
Use resources
Use prompts
Use workflows
Scaffold a UI
UI bundles
UI component builder
UI mappings
API and CLI
API overview
API authentication
MCP server APIs
SDK runtime APIs
CLI APIs
Health check
Security
Security overview
Authentication
Credentials and connections
Access control
Audit logging
Rate limits
Rate limits overview
Limits and usage
Rate limit errors
Connect and OAuth
Trevi Connect overview
OAuth configuration
API key auth
Connect branding
Credential exchange
Manage connections
Discovery endpoints
Account
Account settings
Team members and roles
Usage and limits
Notifications and Slack
Audit logs
API clients
Credentials vault
Billing
Plans and subscriptions
Add-ons
Invoices and portal
Troubleshooting
Spec import issues
MCP tool errors
Deployment failures
OAuth and Connect errors
Custom domain issues
SDK and CLI auth issues
AI tools
Cursor setup
Claude Code setup
Windsurf setup
On this page
Security model
Credential handling
Token safety
Auditability
Best practices
Security
Security overview
Copy page
Understand how Trevi secures data, access, and credentials.
Copy page
Security model
Trevi is organized around your account. Access is enforced at the account and resource level. Users inherit permissions through their role.
Credential handling
Credentials and connection data are stored encrypted at rest. Secrets are never returned in plaintext after creation.
Token safety
Use short-lived access tokens where possible. Do not store client secrets in browsers or client-side apps.
Auditability
Audit logs track important actions and help you trace configuration changes.
Best practices
Use least privilege. Keep tool lists small and scoped. Revoke connections when no longer needed.
Health check
Previous
Authentication
Next
⌘I
