Become a 10x Brand Engineer with Cuppa AI See Who's Hiring
Getting StartedWorkspace Best Practices

Brand Engineer Workspace Best Practices

Cuppa is built for Agent Brand Engineering — one workspace where your team, AI providers, integrations, and brand DNA all connect. As that workspace grows, a few simple habits keep things secure, predictable, and easy to hand off.

This is not about fear — it’s the new reality of running a connected workspace. A short quarterly pass takes minutes and prevents the awkward surprises that come from stale access or forgotten credentials.

This page is a practical checklist for Owners and Admins. Adapt it to your company’s IT and security policies.


Team access: offboard fast, scope tight

Remove members who have left

When someone leaves your company or agency, remove them from Cuppa the same day you revoke their company email.

  1. Go to Team SettingsMembers
  2. Find the member → Remove

Removed members lose access immediately. They cannot sign in or use team API keys through the app.

Contractors & freelancers: Remove access at end of engagement even if the relationship was good. You can always re-invite later.

Review pending invites

Stale invites are an open door. Monthly (or after any org change):

  • Cancel invites that were never accepted
  • Confirm each pending email still belongs to someone who should have access

Use Brand Permissions for Members

Not everyone needs every brand. On Studio+ teams, assign Members only to the brands they work on. See Brand Permission.

RoleBest practice
OwnerOne or two trusted owners; avoid shared logins
AdminFull settings access only for people who need it
MemberScoped to specific brands; default for writers/SMM

Owners and Admins always see all brands — keep that group small.

Avoid shared credentials

Each person should have their own Cuppa login. Do not share one account across a team. Shared logins make audit trails impossible and slow offboarding.


API keys: rotate, label, and revoke

Cuppa uses your provider keys (OpenAI, Anthropic, Replicate, xAI, etc.). Team members share those keys inside the workspace — so key hygiene matters.

Rotate keys at least twice a year

Best practice: Rotate provider API keys every six months, and immediately after:

  • A team member with settings access leaves
  • A key may have been exposed (slack paste, screenshot, committed to git)
  • A laptop or password manager breach

Rotation workflow:

  1. Create a new key in the provider console (OpenAI, Anthropic, etc.)
  2. Update Team SettingsAPI Keys in Cuppa
  3. Confirm generation still works (single test article or image)
  4. Revoke the old key at the provider — do not leave it active “just in case”

Repeat for each connected provider and for your Cuppa REST API key (Studio+) under Team SettingsAPI Access.

Label keys at the source

In each provider dashboard, name keys clearly — e.g. Cuppa Production – 2026-H1. When you rotate, you know exactly which key Cuppa is using.

Never embed keys outside Team Settings

  • Do not put provider keys in Brand Skills repos, MCP config files in shared drives, or client-facing docs
  • For CLI/MCP on local machines, use env vars or OS keychains — not committed .env files
  • Cuppa REST API keys belong in your server secrets manager, not front-end code

See OpenAI API, Anthropic API, and Rest API setup guides for where keys live.


Spend: monitor in Cuppa and at every provider

Bring-your-own-keys means you pay providers directly. Cuppa does not markup API usage on subscription plans; lifetime plans may meter select features through the Cuppa Gateway wallet.

Track spend in two places

WhereWhat to watch
Provider dashboardsOpenAI, Anthropic, Replicate, xAI, Perplexity usage & limits
CuppaSubscription, wallet balance, add-ons, social connection overages

Monthly habit:

  1. Open each provider’s usage/billing page (links in our API setup guides)
  2. Check Team SettingsBilling and wallet auto-reload settings (lifetime)
  3. Compare trend vs. last month — spikes often mean a runaway bulk job or agent loop

Set limits at the provider

Before you need them:

  • OpenAI / Anthropic: Monthly budget caps and alert thresholds
  • Replicate / WaveSpeed: Usage alerts where available
  • X (Twitter) social: Opt in per brand with a monthly spend cap — off by default (Social Posts)

Cuppa pauses metered X and wallet-backed features when caps or balance are hit, but provider-side limits are your first line of defense against runaway API spend.

Watch bulk and agent workloads

High spend often comes from:

  • Large bulk article or image batch runs
  • MCP/CLI agents retrying in a loop
  • Creative Lab batch ad generation (up to 20 variants)

Set expectations with the team: who can kick off bulk jobs, and max batch sizes for experiments.


Integrations and connected accounts

Publishing integrations sit between Cuppa and your live sites. They deserve the same attention as AI provider keys — especially if team members change or a client relationship ends.

Rotate CMS credentials quarterly

Best practice: Review and rotate CMS integration credentials every quarter (every three months), and immediately when someone with integration access leaves or a site changes hands.

Most CMS connections use long-lived tokens or application passwords. They do not expire on their own, which is convenient day-to-day — but it means rotation is on you.

IntegrationWhat to rotateWhere in Cuppa
WordPressApplication passwordTeam Settings → Integrations → reconnect site
GhostAdmin API keySame
WebflowSite API tokenSame — generate new token in Webflow, update Cuppa
SanityAPI token (Editor+)Same — new token in Sanity project settings
ContentfulPersonal access / CMA tokenSame
Shopify (legacy static token)Admin API access tokenSame — Dev Dashboard OAuth apps refresh automatically
AirtablePersonal access tokenSame

Rotation workflow:

  1. Generate a new token or application password in the CMS (name it clearly, e.g. Cuppa – 2026-Q3)
  2. Update the connection in Team SettingsIntegrations (or reconnect the site)
  3. Publish a quick test post or draft to confirm the pipeline still works
  4. Revoke the old token in the CMS — do not leave both active

OAuth-based connections (Google Search Console, GA4, Bing, social accounts) use refresh tokens managed by Cuppa. You cannot rotate those like an API key, but you should disconnect and reconnect if an Admin who set them up leaves, or during your quarterly audit if access looks stale.

See the Integrations overview for setup details per platform.

Disconnect what you no longer use

Periodically audit Team SettingsIntegrations and each brand’s Site Settings:

  • CMS connections (WordPress, Ghost, Webflow) for retired sites
  • Social accounts for ex-clients or deprecated handles
  • Ad accounts in Brand Social → Paid Ads for ended campaigns

Fewer active connections means less to maintain — and one less thing to worry about if credentials ever leak.

OAuth is per-team

Anyone with Admin access can connect integrations. Restrict Admin roles accordingly. When offboarding an Admin, review recently connected integrations.


Brand and data hygiene

Review Brand Permissions after client changes

Agency teams: when a client offboards, remove their brands from affected Members and archive or delete the site if you no longer manage it.

Be deliberate with Knowledge Sources

Knowledge Sources and Brand Skills shape what the AI sees. Do not upload:

  • Confidential HR, legal, or unreleased financial data
  • Client secrets you are not contractually allowed to store in third-party tools

Treat Cuppa like any SaaS in your stack — if your policy requires a DPA or data review, run that process first.

Brand Skills from GitHub

Only import skills from repos you trust. Skills are scanned for injection patterns, but team admins control what gets installed. See Brand Skills.


Automation surface (REST API, MCP, CLI, webhooks)

SurfacePractice
REST APIRotate Cuppa API keys on the same schedule as provider keys; scope to server-side only
WebhooksHTTPS endpoints only; verify caller; rotate if endpoint URL or team changes
MCP / CLIRun on trusted machines; lock down config files; offboard = revoke keys + remove local configs
AgentsGive agents clear stop conditions; avoid unbounded “keep generating” loops

Quick checklist

Use this quarterly (or after any team change):

  • Removed departed team members and expired invites
  • Brand Permissions reviewed for each Member
  • Provider API keys rotated (or scheduled) — max 6 months old
  • CMS integration tokens/passwords rotated — WordPress, Ghost, Webflow, Sanity, Contentful, etc.
  • OAuth integrations (GSC, GA4, Bing, social) reconnected if an Admin left or access looks stale
  • Cuppa REST API key rotated (Studio+)
  • Spend reviewed in Cuppa billing + each provider dashboard
  • Provider budget alerts and X social caps confirmed
  • Unused integrations and social/ad connections disconnected
  • Knowledge Sources and Brand Skills audited for sensitive or stale content