Authentication
JWT with refresh tokens. Publish Keys are stored hashed. We never expose full keys.
Isolation
Each workspace has its own isolated data. There's no data crossover between organizations.
Rate limits
Limits per IP and per key to prevent abuse.
CORS
Secure configuration for integrations from your domain.
BYOK key encryption
The OpenAI keys you bring (BYOK) are encrypted with AES-256-GCM before being stored, with a random IV on every operation and auth tag verification on every read. Rotating the encryption key is a manual process, not automatic.
Verified Stripe webhooks
Both Stripe webhook endpoints (billing and Connect) verify the signature of every event before processing it, rejecting any request that doesn't come from Stripe.
Secure headers and strict validation
Security HTTP headers (Helmet) on every response, and strict payload validation that rejects unexpected fields (anti mass-assignment protection).