Reference

Security

Flux is for observability, not a secrets vault. The split SDK keeps project keys off the client.

API keys (server-only)

Never commit keys to public repos or paste them in public chats.
Call FluxServer.Init(apiKey) only from server code (typically once when your experience boots). The key must never appear in ReplicatedStorage, StarterPlayer, or any ModuleScript that a LocalScript can require.
FluxClient has no Init(apiKey) . Clients forward events through FluxRemoteEvent. FluxServer is the only component that calls Flux over HTTP.
Rotate immediately on leak; update every place that called the old key.
For published games, prefer Roblox's secrets store so the key is not in script source.

Untrusted clients

Treat every RemoteEvent payload as hostile input. The Flux server module validates shape and size, applies per-player throttling, and derives player attribution from the Roblox Player instance, not from arbitrary fields clients send.

Payloads

Project members can read logs in the web app. Do not log tokens, cookies, keys, or PII you should not retain. Prefer opaque ids.

Exploit & Anomaly Clustering

The Studio plan includes a dedicated Security dashboard. Use FluxServer.Security() and FluxClient.Security() to flag exploit attempts and suspicious behavior caught by your server-side sanity checks.

Flux will automatically parse these logs and group them by UserIdand severity in your project's Security tab, giving you a ready-made moderation queue backed by timestamped evidence.

You can also be notified the moment exploits spike: create an alert with Security anomalies only enabled and it fires in-app (and to Discord on paid plans) whenever Security() events cross your threshold.

Transport

Use https:// ingest URLs only; avoid long redirect chains. For client, server, and HTTPS flow, start from the API overview and Studio plugin.