VeriTrust

Security

Security posture.

VeriTrust is designed to keep private provider tokens and service-role credentials on the server, never in frontend JavaScript.

Secret Handling

Production secrets are stored in environment variables. Hugging Face tokens, Supabase service-role keys, and private API credentials must not be committed or exposed to browsers.

API Key Storage

User API keys are generated once and stored as hashes with masked metadata. Revoked keys cannot be used after revocation.

Serverless Controls

Serverless API routes enforce validation, authorization, rate limits, CORS checks for web routes, and safe error responses.

Safe Use

Use API keys only from secure backends, Python scripts, local notebooks, or trusted automation. Verify suspicious content through official channels before action.