Security
Security posture.
VeriTrust is designed to keep private provider tokens and service-role credentials on the server, never in frontend JavaScript.
Secret Handling
Production secrets are stored in environment variables. Hugging Face tokens, Supabase service-role keys, and private API credentials must not be committed or exposed to browsers.
API Key Storage
User API keys are generated once and stored as hashes with masked metadata. Revoked keys cannot be used after revocation.
Serverless Controls
Serverless API routes enforce validation, authorization, rate limits, CORS checks for web routes, and safe error responses.
Safe Use
Use API keys only from secure backends, Python scripts, local notebooks, or trusted automation. Verify suspicious content through official channels before action.