Data isolation
- All queries are automatically scoped to the authenticated user
- Users cannot access another user's data
- Data isolation is strictly enforced — other users' data is never accessible
- Every API request validates ownership before returning results
Subscription requirements
- API access is limited to active paid subscribers (All-Inclusive or AI Coach)
- Accounts on limited access (after trial or subscription ends) cannot create API keys
- If a subscriber downgrades to limited access, existing keys stop working:
- Key creation is blocked
- Validation rejects requests when the account is no longer on a paid plan
API key security
- Keys are securely hashed and never stored in plaintext
- The full key is shown only once at creation — save it securely
- You can revoke keys anytime from your account Settings
- Last used timestamps help you identify and remove unused keys
- Treat API keys like passwords — never commit them to source control or share them publicly
Transport security
Always use HTTPS in production. The Bearer token must not be logged in client-side analytics or shared URLs.