Data isolation
- All queries are automatically scoped to the authenticated user
- Users cannot access another user's data
- Data isolation is enforced at the database level, not just in application code
- Every API request validates ownership before returning results
Subscription requirements
- API access is limited to paid subscribers
- Free-tier users cannot create API keys
- If a subscriber downgrades, existing keys stop working:
- Key creation is blocked on free tier
- Validation rejects requests when the account is no longer paid
API key hygiene
- Keys are stored as bcrypt hashes
- Plaintext is shown once at creation
- Users can revoke keys anytime from Settings
- Last used timestamps help detect unused keys
- Treat secrets like passwords — never commit them to source control
Transport security
Always use HTTPS in production. The Bearer token must not be logged in client-side analytics or shared URLs.