Skip to main content
1
Keep API Calls Backend-OnlyRoute all Connect AI Embed API requests through your backend server. Do not call CData directly from client-side code, and do not expose JWT private keys or other secrets to the frontend.
2
Use Short-Lived JWTs for REST API AccessIdeally, there should be three minutes or less per request, with one hour as an absolute maximum. Regenerate tokens per request where possible, especially for sensitive operations.
3
Store Secrets SecurelyStore JWT private keys, API keys, and data source credentials in a secure vault, secret manager, or environment variable system. Never hard-code secrets in application code or commit them to source control.
4
Validate All InputValidate connection IDs, view names, query parameters, and any other user-supplied input before sending it to CData. Treat all input as untrusted, especially in agentic workflows where an LLM may construct requests dynamically.
5
Sanitize ErrorsDo not surface raw CData API errors or internal stack traces to end users. Convert them into user-friendly messages and keep detailed diagnostics in server logs.
6
Control Tool Access in Your AppIf you use MCP, define which flows are read-only and which can perform writes. Gate tool access in your orchestration layer and monitor for unexpected tool usage or unusual query patterns.
7
Log at the Application LayerConnect AI Embed provides platform logs, but your application owns user-level attribution. Correlate your application logs with CData logs so you can answer who did what, when, and from which tenant.

Readiness Checklist

Pre-Deployment

  • Document the data sources to which you plan to connect.
  • Classify the sensitivity of each source.
  • Define which AI features will be enabled for the POC or trial.
  • Decide which workflows need read-only versus read/write access.
  • Design your identity and authorization model for the application.
  • Define log retention and review procedures.

JWT and API Configuration

  • Store signing keys in a secure vault or environment variables.
  • Confirm no secrets are exposed in frontend code or repositories.
  • Use short-lived JWTs with a three-minute target TTL where possible.
  • Generate new JWTs per request or per small batch of requests for sensitive actions.

Access Control in Your Application

  • Restrict which users can access AI features.
  • Define which customer or tenant each user belongs to.
  • Enforce per-feature rules for read and write actions.
  • Validate all connection IDs, view names, and query parameters.
  • Sanitize all error messages returned to clients.

MCP and Tool Usage

  • Decide whether the MCP workflow should be read-only or read/write.
  • Gate tool access in your agent orchestration layer.
  • Validate prompts and parameters before execution.
  • Monitor tool usage for anomalies or unexpected actions.

Ongoing Operations

  • Review CData logs and your application logs regularly.
  • Rotate JWT signing keys and other secrets on a schedule.
  • Remove write access where it is not needed.
  • Keep current with CData security updates and Embed documentation.