Security

OneAI is designed for operational use: structured outputs, reliable execution, and clear controls for projects, keys, and usage. This page summarizes our security posture and recommended practices.

Report an issue Developers →

Note: replace placeholder statements below with your exact implementation details when ready (hosting, encryption, retention).

API keys & access

Use per-project keys. Rotate regularly. Store keys in server-side secrets (never client). Restrict admin routes with strong auth.

Data handling

Minimize stored data. Store only what you need for operations (usage, billing, workflow metadata). Avoid logging sensitive inputs.

Operational reliability

Validation + retries reduce malformed outputs. Prefer schema-validated structured outputs for production workflows.

Recommended best practices

Least privilege by default

Separate keys for dev/test/prod. Use role-based access in Console. Limit who can create keys and view billing.

Logging hygiene

Avoid storing raw prompts/outputs by default. If you must, redact secrets and personal data. Keep short retention windows.

Webhook security

Verify Stripe (or other) webhook signatures. Use raw body handling for signature verification and fail closed on mismatch.

Rate limiting

Apply per-key rate limits. Reject abusive traffic early. Monitor spikes and rotate keys if compromised.

Security contact

For security reports, please contact us with reproduction steps, impact analysis, and any relevant logs.

Contact Pricing →