API Security

Secure API access with authentication, rate limiting, and validation.

Authentication

Authorization: Bearer <JWT_TOKEN>
  • JWT tokens validated on every request
  • Organization-scoped access control
  • API keys with SHA-256 hashed storage

Rate Limiting

  • Default: 100 requests/second with 200 burst
  • Per-IP tracking with token bucket algorithm
  • Trusted proxy validation (X-Forwarded-For)

Input Validation

  • UUID format validation on all IDs
  • JSON schema validation
  • SQL injection prevention (parameterized queries)
  • XSS prevention (HTML escaping)
  • Request body size limit: 10MB
  • Request timeout: 30 seconds

Security Headers

Content-Security-Policy: default-src 'self'...
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000
← Encryption Agent Security →