MY PROP JOURNAL

Security & privacy

Data isolation, subscription rules, and how API keys are stored and revoked.

Data isolation

  • All queries are automatically scoped to the authenticated user
  • Users cannot access another user's data
  • Data isolation is strictly enforced — other users' data is never accessible
  • Every API request validates ownership before returning results

Subscription requirements

  • API access is limited to active paid subscribers (All-Inclusive or AI Coach)
  • Accounts on limited access (after trial or subscription ends) cannot create API keys
  • If a subscriber downgrades to limited access, existing keys stop working:
    1. Key creation is blocked
    2. Validation rejects requests when the account is no longer on a paid plan

API key security

  • Keys are securely hashed and never stored in plaintext
  • The full key is shown only once at creation — save it securely
  • You can revoke keys anytime from your account Settings
  • Last used timestamps help you identify and remove unused keys
  • Treat API keys like passwords — never commit them to source control or share them publicly

Transport security

Always use HTTPS in production. The Bearer token must not be logged in client-side analytics or shared URLs.