Security
We take the security of your data and API access seriously. Here is how we protect your infrastructure.
Encryption in Transit
All API traffic is encrypted with TLS 1.2+. We enforce HTTPS on all endpoints and reject insecure connections.
API Key Hashing
API keys are hashed using bcrypt before storage. The full key is shown exactly once at creation and cannot be recovered. We store only the key prefix for identification.
Rate Limiting
Every API key has configurable rate limits to prevent abuse. Default limits are 60 requests per minute, with higher limits available for premium and enterprise tiers.
Audit Logging
All administrative actions, API key operations, and wallet transactions are logged in an immutable audit trail. Logs are retained for 90 days and cannot be modified or deleted.
Immutable Billing Ledger
Wallet transactions are append-only. Every credit, debit, and adjustment creates a permanent record with the balance at that point in time. Corrections require reversal entries.
Session Security
Sessions are regenerated on login and invalidated on logout. Password confirmation is required for sensitive operations. Two-factor authentication is available for all accounts.