Skip to content

Security best practices

This page covers essential security guidelines for protecting your Spheron account, API credentials, and GPU instances. Apply these practices before deploying in any production environment.

Account security

Credentials protection:
  • Use strong, unique passwords
  • Never share passwords, API keys, SSH keys, or payment info
  • Verify URLs before entering credentials (official: spheron.network)
Phishing protection:
  • Watch for fake support messages and impersonation attempts
  • Use only official channels (see General Info)
  • Verify domains before clicking links

SSH keys

SSH keys are required for instance access. Only upload public keys to Spheron.

Best practices:
  • Generate keys using ED25519 or RSA 4096-bit
  • Use passphrases on private keys; never share them
  • Store private keys in a secure location, not in repositories
  • Rotate keys every 90 days
  • Use different keys for different services

See SSH Connection Guide for setup.

API keys

API keys provide programmatic access to your account. See API Reference for endpoint details.

Best practices:
  • Store API keys in environment variables; never hardcode them
  • Rotate every 90 days
  • Revoke immediately if compromised
  • Use separate keys per environment
  • Never commit API keys to version control
export SPHERON_API_KEY="<your-api-key>"  # Store in environment, not in code

Monitoring and alerts

Monitor regularly to detect unauthorized access:

  • Active instances and deployments
  • Billing and credit usage
  • API activity logs

To set up alerts:

  • Enable billing notifications in User Settings
  • Set spending limits
  • Track unusual activity patterns

See Billing for monitoring details.

Instance security

Network:
  • Close unnecessary ports
  • Configure firewall rules
  • Disable password authentication; use SSH keys only
  • Use VPN or SSH tunneling for sensitive services
System:
  • Keep software updated
  • Apply security patches promptly
  • Monitor system logs regularly
  • Back up important data before terminating an instance
Startup scripts:
  • Review scripts before deployment (they run with root privileges)
  • Never hardcode credentials in scripts
  • Use secrets management for sensitive data
  • Test scripts in a development environment first

See Connecting to instances for startup script examples.

Official channels and support

For a complete list of official Spheron channels and contact information, see General Information.

Always verify you are on the correct official domain before:

  • Entering login credentials
  • Connecting your wallet to any website
  • Sharing sensitive information
  • Clicking links in messages or emails

Bookmark official URLs and double-check domains to avoid phishing attempts.

Reporting security issues

If you suspect unauthorized access or find a vulnerability, take these steps immediately:

  1. Change your account password
  2. Revoke compromised API keys and SSH keys
  3. Terminate any suspicious instances
  4. Review billing for unauthorized usage

Then report the issue:

  • Contact through official channels (see General Info)
  • Provide timestamps, affected resources, and observed behavior
  • Report phishing attempts to help the community

Security checklist

Account:
  • Strong unique password set
  • Regular activity reviews scheduled
Keys:
  • Only SSH public keys uploaded
  • Passphrases set on private keys
  • 90-day key rotation scheduled
  • API keys stored in environment variables
Instances:
  • Firewall configured
  • Software kept up to date
  • Unnecessary ports closed
  • Instances terminated when not in use

What's next

Powered by Spheron
© 2026 Spheron Network. All rights reserved.