mcp← Back

Security

Last updated: February 7, 2026

Zephex is a security-sensitive service (API keys can unlock access to tooling and usage). This page explains the practical controls we use to protect accounts and data.

Encryption

  • In transit: TLS/HTTPS for dashboard and API traffic.
  • At rest: sensitive fields are encrypted where appropriate, and secrets are not stored in plaintext.

API key handling

  • API keys are validated by secure hashing on the server side.
  • We never store plaintext API keys in the database.
  • You can revoke or rotate keys at any time.

Access controls

  • Role-based access for administrative actions.
  • Database row-level security to isolate customer data.
  • Scoped authorization for sensitive endpoints.

Monitoring and abuse prevention

  • Rate limiting per API key/tier to reduce abuse and prevent runaway usage.
  • Security logging for authentication events and suspicious activity.
  • Alerting for high-risk patterns (e.g., repeated failed logins).

Reporting vulnerabilities

If you believe you found a security issue, email security@zephex.dev. Please include steps to reproduce and any relevant logs. Do not publicly disclose until we’ve had a chance to investigate.