Security Guidance for All Authentication Methods

OAuth is recommended as the most secure authentication method due to its automated expiry and secure token flow, although it may not always be feasible due to complexity or lack of integration support. In such cases, Vectara offers alternatives like API keys, which, while easier to use, are less secure. There are three types of API keys: Query API Keys, which are read-only and safest for search operations; Index and Query API Keys, which allow both read and write operations and are suited for production but carry higher risk; and Personal API Keys, which provide extensive permissions and should be used with caution, ideally for rapid prototyping or when OAuth is unsupported. Best practices include using OAuth in production environments for higher security, carefully choosing API keys based on use case, avoiding exposure of personal keys in insecure environments, and regularly rotating personal API keys to maintain security.