Skip to contentSkip to navigation

Security

The service is built around safe delivery keys, URL validation, rate limits, and safe app delivery email logs.

Delivery Keys

  • raw keys are shown only once
  • only key hashes are stored
  • safe key prefixes can be shown in the dashboard
  • revoked keys stop accepting delivery requests

URLs

Auth URLs may use HTTPS, localhost or 127.0.0.1 for local development, or a configured app scheme. They must include only a non-empty token query parameter and match the selected app's allowed URLs. This prevents a valid delivery key from being used to send unsafe or unexpected links.

App delivery email logs

App delivery email logs are for debugging emails your app sends to users, not for storing auth secrets. They should show safe status and error information only.

  • no auth URLs
  • no raw tokens
  • no raw delivery keys
  • no passwords

Limits

Delivery requests are limited by delivery key, recipient, and app daily limit. Limits reduce abuse and stop one app from affecting every other app.

Security — Own Auth Docs