Gateway API keys are stored hashed. Provider keys are encrypted before persistence and selected per organization when BYOK is enabled.
Security
The gateway is designed to help teams centralize routing and reduce ad hoc credential sprawl while keeping policies enforceable.
Browser authentication uses short-lived access cookies and rotating refresh cookies. Sensitive actions can require recent re-authentication and optional TOTP 2FA.
Runtime queries use parameter binding, trusted hosts are enforced, body sizes are capped, and security headers are applied to reduce common web attack surfaces.
Top-ups are recorded through payment provider order IDs and verified signatures before credits are posted to the ledger. Duplicate payment confirmations are treated idempotently.
Dashboard data, API keys, provider keys, usage rows, and billing entries are scoped by organization and project so a selected workspace only sees its own records.
Use HTTPS, rotate leaked secrets immediately, restrict production trusted hosts, and keep provider keys least-privileged where the provider supports it.