Security
This page summarizes the security expectations that matter to customers. It does not list internal implementation details.
Account security
Section titled “Account security”- The raw API key is shown only once.
- Revoked keys stop working immediately.
- Passwords and sessions are handled securely; plaintext secrets are not exposed.
Request security expectations
Section titled “Request security expectations”| Layer | Implementation |
|---|---|
| Transport | All traffic uses HTTPS |
| Authentication | Separate secure flows for dashboard sessions and API keys |
| Data isolation | Accounts are isolated from each other |
| Abuse protection | Validation, rate limiting, and misuse controls are applied |
Prompt and response privacy
Section titled “Prompt and response privacy”Prompt and response bodies are not stored. Only limited metrics needed for usage, billing, and troubleshooting are retained.
For formal legal notices, see the Privacy Policy and the KVKK Disclosure Notice.
Secret handling
Section titled “Secret handling”Provider keys and user secrets are used only where required. They are not exposed in the frontend, client logs, or user-facing screens.
Reporting a security issue
Section titled “Reporting a security issue”If you discover a security problem, contact us through our support channels.