Loreto Sites

Support

FAQ

AllGetting startedImportEditingPublishingDomainsRolesBillingSupportSecurityWebsites

Where are sensitive API keys handled?

Sensitive server actions should run through backend routes or cloud functions with secrets stored outside browser code. Do not paste private keys into public website content.

In-depth answer+

Security-sensitive work includes authentication, authorization, secrets, uploads, publishing permission, billing access, and domain ownership. The safest support requests describe the symptom without exposing private credentials.

Technical checks

  • Do not paste passwords, API keys, private keys, service account JSON, recovery codes, or full payment details into public fields.
  • For access concerns, note the user email, role, organization, site, action attempted, and whether the user should have that permission.
  • For suspicious activity, include timestamps, affected pages, user accounts, and what changed.
  • For upload or attachment issues, include file type and size, but do not attach files containing private records unless support specifically requests a secure path.

Escalation details to include

  • For suspected account compromise, revoke access first if you can, then send support the affected email and timing.
  • For accidentally shared secrets, rotate the secret in the original provider and tell support what type of secret was exposed.
  • For publishing or billing permission problems, include the expected approver and current blocked user.

Reference notes

  • Authentication: proves who the user is.
  • Authorization: controls what the user can do after sign-in.
  • App Check and rate limiting: reduce abusive automated requests where enabled.
  • Audit trail: security-relevant actions should retain enough context for review.

Are critical errors monitored?

Production errors are logged and important failures can notify the operator. If you see a repeated issue, send the exact time, page, and action so support can match it to logs.

In-depth answer+

Security-sensitive work includes authentication, authorization, secrets, uploads, publishing permission, billing access, and domain ownership. The safest support requests describe the symptom without exposing private credentials.

Technical checks

  • Do not paste passwords, API keys, private keys, service account JSON, recovery codes, or full payment details into public fields.
  • For access concerns, note the user email, role, organization, site, action attempted, and whether the user should have that permission.
  • For suspicious activity, include timestamps, affected pages, user accounts, and what changed.
  • For upload or attachment issues, include file type and size, but do not attach files containing private records unless support specifically requests a secure path.

Escalation details to include

  • For suspected account compromise, revoke access first if you can, then send support the affected email and timing.
  • For accidentally shared secrets, rotate the secret in the original provider and tell support what type of secret was exposed.
  • For publishing or billing permission problems, include the expected approver and current blocked user.

Reference notes

  • Authentication: proves who the user is.
  • Authorization: controls what the user can do after sign-in.
  • App Check and rate limiting: reduce abusive automated requests where enabled.
  • Audit trail: security-relevant actions should retain enough context for review.

Contact us

Include the domain, current site or dashboard URL, what changed, what you expected, and a screenshot when the issue is visual.

Need urgent help?

We will get back to you as soon as possible.

Text support