Brand Engineer Workspace Best Practices
Cuppa is built for Agent Brand Engineering — one workspace where your team, AI providers, integrations, and brand DNA all connect. As that workspace grows, a few simple habits keep things secure, predictable, and easy to hand off.
This is not about fear — it’s the new reality of running a connected workspace. A short quarterly pass takes minutes and prevents the awkward surprises that come from stale access or forgotten credentials.
This page is a practical checklist for Owners and Admins. Adapt it to your company’s IT and security policies.
Team access: offboard fast, scope tight
Remove members who have left
When someone leaves your company or agency, remove them from Cuppa the same day you revoke their company email.
- Go to Team Settings → Members
- Find the member → Remove
Removed members lose access immediately. They cannot sign in or use team API keys through the app.
Contractors & freelancers: Remove access at end of engagement even if the relationship was good. You can always re-invite later.
Review pending invites
Stale invites are an open door. Monthly (or after any org change):
- Cancel invites that were never accepted
- Confirm each pending email still belongs to someone who should have access
Use Brand Permissions for Members
Not everyone needs every brand. On Studio+ teams, assign Members only to the brands they work on. See Brand Permission.
| Role | Best practice |
|---|---|
| Owner | One or two trusted owners; avoid shared logins |
| Admin | Full settings access only for people who need it |
| Member | Scoped to specific brands; default for writers/SMM |
Owners and Admins always see all brands — keep that group small.
Avoid shared credentials
Each person should have their own Cuppa login. Do not share one account across a team. Shared logins make audit trails impossible and slow offboarding.
API keys: rotate, label, and revoke
Cuppa uses your provider keys (OpenAI, Anthropic, Replicate, xAI, etc.). Team members share those keys inside the workspace — so key hygiene matters.
Rotate keys at least twice a year
Best practice: Rotate provider API keys every six months, and immediately after:
- A team member with settings access leaves
- A key may have been exposed (slack paste, screenshot, committed to git)
- A laptop or password manager breach
Rotation workflow:
- Create a new key in the provider console (OpenAI, Anthropic, etc.)
- Update Team Settings → API Keys in Cuppa
- Confirm generation still works (single test article or image)
- Revoke the old key at the provider — do not leave it active “just in case”
Repeat for each connected provider and for your Cuppa REST API key (Studio+) under Team Settings → API Access.
Label keys at the source
In each provider dashboard, name keys clearly — e.g. Cuppa Production – 2026-H1. When you rotate, you know exactly which key Cuppa is using.
Never embed keys outside Team Settings
- Do not put provider keys in Brand Skills repos, MCP config files in shared drives, or client-facing docs
- For CLI/MCP on local machines, use env vars or OS keychains — not committed
.envfiles - Cuppa REST API keys belong in your server secrets manager, not front-end code
See OpenAI API, Anthropic API, and Rest API setup guides for where keys live.
Spend: monitor in Cuppa and at every provider
Bring-your-own-keys means you pay providers directly. Cuppa does not markup API usage on subscription plans; lifetime plans may meter select features through the Cuppa Gateway wallet.
Track spend in two places
| Where | What to watch |
|---|---|
| Provider dashboards | OpenAI, Anthropic, Replicate, xAI, Perplexity usage & limits |
| Cuppa | Subscription, wallet balance, add-ons, social connection overages |
Monthly habit:
- Open each provider’s usage/billing page (links in our API setup guides)
- Check Team Settings → Billing and wallet auto-reload settings (lifetime)
- Compare trend vs. last month — spikes often mean a runaway bulk job or agent loop
Set limits at the provider
Before you need them:
- OpenAI / Anthropic: Monthly budget caps and alert thresholds
- Replicate / WaveSpeed: Usage alerts where available
- X (Twitter) social: Opt in per brand with a monthly spend cap — off by default (Social Posts)
Cuppa pauses metered X and wallet-backed features when caps or balance are hit, but provider-side limits are your first line of defense against runaway API spend.
Watch bulk and agent workloads
High spend often comes from:
- Large bulk article or image batch runs
- MCP/CLI agents retrying in a loop
- Creative Lab batch ad generation (up to 20 variants)
Set expectations with the team: who can kick off bulk jobs, and max batch sizes for experiments.
Integrations and connected accounts
Publishing integrations sit between Cuppa and your live sites. They deserve the same attention as AI provider keys — especially if team members change or a client relationship ends.
Rotate CMS credentials quarterly
Best practice: Review and rotate CMS integration credentials every quarter (every three months), and immediately when someone with integration access leaves or a site changes hands.
Most CMS connections use long-lived tokens or application passwords. They do not expire on their own, which is convenient day-to-day — but it means rotation is on you.
| Integration | What to rotate | Where in Cuppa |
|---|---|---|
| WordPress | Application password | Team Settings → Integrations → reconnect site |
| Ghost | Admin API key | Same |
| Webflow | Site API token | Same — generate new token in Webflow, update Cuppa |
| Sanity | API token (Editor+) | Same — new token in Sanity project settings |
| Contentful | Personal access / CMA token | Same |
| Shopify (legacy static token) | Admin API access token | Same — Dev Dashboard OAuth apps refresh automatically |
| Airtable | Personal access token | Same |
Rotation workflow:
- Generate a new token or application password in the CMS (name it clearly, e.g.
Cuppa – 2026-Q3) - Update the connection in Team Settings → Integrations (or reconnect the site)
- Publish a quick test post or draft to confirm the pipeline still works
- Revoke the old token in the CMS — do not leave both active
OAuth-based connections (Google Search Console, GA4, Bing, social accounts) use refresh tokens managed by Cuppa. You cannot rotate those like an API key, but you should disconnect and reconnect if an Admin who set them up leaves, or during your quarterly audit if access looks stale.
See the Integrations overview for setup details per platform.
Disconnect what you no longer use
Periodically audit Team Settings → Integrations and each brand’s Site Settings:
- CMS connections (WordPress, Ghost, Webflow) for retired sites
- Social accounts for ex-clients or deprecated handles
- Ad accounts in Brand Social → Paid Ads for ended campaigns
Fewer active connections means less to maintain — and one less thing to worry about if credentials ever leak.
OAuth is per-team
Anyone with Admin access can connect integrations. Restrict Admin roles accordingly. When offboarding an Admin, review recently connected integrations.
Brand and data hygiene
Review Brand Permissions after client changes
Agency teams: when a client offboards, remove their brands from affected Members and archive or delete the site if you no longer manage it.
Be deliberate with Knowledge Sources
Knowledge Sources and Brand Skills shape what the AI sees. Do not upload:
- Confidential HR, legal, or unreleased financial data
- Client secrets you are not contractually allowed to store in third-party tools
Treat Cuppa like any SaaS in your stack — if your policy requires a DPA or data review, run that process first.
Brand Skills from GitHub
Only import skills from repos you trust. Skills are scanned for injection patterns, but team admins control what gets installed. See Brand Skills.
Automation surface (REST API, MCP, CLI, webhooks)
| Surface | Practice |
|---|---|
| REST API | Rotate Cuppa API keys on the same schedule as provider keys; scope to server-side only |
| Webhooks | HTTPS endpoints only; verify caller; rotate if endpoint URL or team changes |
| MCP / CLI | Run on trusted machines; lock down config files; offboard = revoke keys + remove local configs |
| Agents | Give agents clear stop conditions; avoid unbounded “keep generating” loops |
Quick checklist
Use this quarterly (or after any team change):
- Removed departed team members and expired invites
- Brand Permissions reviewed for each Member
- Provider API keys rotated (or scheduled) — max 6 months old
- CMS integration tokens/passwords rotated — WordPress, Ghost, Webflow, Sanity, Contentful, etc.
- OAuth integrations (GSC, GA4, Bing, social) reconnected if an Admin left or access looks stale
- Cuppa REST API key rotated (Studio+)
- Spend reviewed in Cuppa billing + each provider dashboard
- Provider budget alerts and X social caps confirmed
- Unused integrations and social/ad connections disconnected
- Knowledge Sources and Brand Skills audited for sensitive or stale content
Related docs
- Team Settings — Members, API keys, billing, webhooks
- Brand Permission — Scope members to specific brands
- Organization Settings — Profile and team overview
- Agent Brand Engineering — What the workspace is built to do
- Integrations overview — CMS setup and credential types per platform
- Advantages of Bring Your Own Keys — Why provider spend is yours to manage