Security
Security Practices
The platform is designed around hashed API keys, secure sessions, signed Stripe webhooks, guarded demos, and clean API error responses.
API keys
Raw API keys are generated once, shown once, hashed with server-side secret material, and can be revoked immediately from the dashboard.
Demo guardrails
No-key demo routes live under /demo/api/v1, only accept allowlisted sample values, and are rate limited independently from production API calls.
Production operations
Secrets are provided through environment variables. Admin routes require an admin session and are excluded from the public OpenAPI schema.
This page is an MVP launch policy summary for developer review and will be replaced by counsel-reviewed legal terms before broad commercial launch.