Security

Authentication: Protected API routes require bearer authentication and server-side identity verification.

Rate and budget controls: Request-level limits and daily usage budgets help prevent abuse and unexpected cost spikes.

Error tracking: Sentry captures sanitized exceptions and tracing data. Sensitive headers and tokens are redacted.

Outbound controls: MCP endpoint validation blocks loopback and private-network destinations to reduce SSRF risk.

Incident reporting: Report security issues through our support channel with reproduction details and impact scope.