Security
How we protect your keys, data, and money.
- API keys: only the SHA-256 hash is stored in the database; the secret is shown once.
- Passwords: bcrypt hashing, with sessions issued as JWTs in httpOnly cookies.
- Money and tokens: atomic database transactions, protecting against double-spend and negative balances.
- Limits: RPM/RPD per plan and per key, plus rate limiting.
- Payments: processed via YooKassa, with webhook signature verification.
- Audit logging: critical actions and administrator actions are recorded in an audit log.
Found a vulnerability? Email security@aiclauds.com.