API Security

Secure API access with authentication, rate limiting, and validation.

Authentication

Authorization: Bearer <JWT_TOKEN>

JWT tokens validated on every request
Organization-scoped access control
API keys with SHA-256 hashed storage

Rate Limiting

Default: 100 requests/second with 200 burst
Per-IP tracking with token bucket algorithm
Trusted proxy validation (X-Forwarded-For)

Input Validation

UUID format validation on all IDs
JSON schema validation
SQL injection prevention (parameterized queries)
XSS prevention (HTML escaping)
Request body size limit: 10MB
Request timeout: 30 seconds

Security Headers

Content-Security-Policy: default-src 'self'...
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000

← Encryption Agent Security →