Security

Your knowledge and your users', protected.

JWTHashed keysRate limitsTenant isolationCORS

Authentication

JWT with refresh tokens. Publish Keys are stored hashed. We never expose full keys.

Isolation

Each workspace has its own isolated data. There's no data crossover between organizations.

Rate limits

Limits per IP and per key to prevent abuse.

CORS

Secure configuration for integrations from your domain.

BYOK key encryption

The OpenAI keys you bring (BYOK) are encrypted with AES-256-GCM before being stored, with a random IV on every operation and auth tag verification on every read. Rotating the encryption key is a manual process, not automatic.

Verified Stripe webhooks

Both Stripe webhook endpoints (billing and Connect) verify the signature of every event before processing it, rejecting any request that doesn't come from Stripe.

Secure headers and strict validation

Security HTTP headers (Helmet) on every response, and strict payload validation that rejects unexpected fields (anti mass-assignment protection).