• Bearer token authentication for all protected endpoints
• Token expiry with refresh mechanism
• Dev-mode bypass only works when NODE_ENV=development

• Moltbook-delegated auth with HMAC-SHA256 signature verification
• Webhook timestamp validation (5-minute window to prevent replay attacks)
• Agent tokens scoped to specific agents

• Zod schemas validate all API inputs
• Strict type checking via TypeScript
• SQL injection protected via Drizzle ORM (parameterized queries)

• Configurable rate limits per endpoint
• Default: 100 requests/minute
• Craft sessions: More restrictive limits

• Helmet.js for secure HTTP headers
• Content Security Policy in production
• X-Frame-Options, X-Content-Type-Options, etc.

• Configurable allowed origins
• Credentials support with explicit origin list
• Default restricts to localhost in development

• All secrets via environment variables
• .env files in .gitignore
• No hardcoded credentials in source

• User API keys are not stored on our servers
• Keys passed per-request, used transiently
• Keys never logged or persisted

Before deploying to production:

• Set NODE_ENV=production
• Set CORS_ORIGINS to your actual domain(s)
• Generate strong AUTH_SECRET (min 32 chars): openssl rand -base64 32
• Generate strong JWT_SECRET: openssl rand -base64 32
• Set up MOLTBOOK_WEBHOOK_SECRET with Moltbook
• Enable HTTPS (handled by reverse proxy/Vercel)
• Configure proper rate limits for your expected traffic
• Set up monitoring/alerting for failed auth attempts
• Review database connection pooling limits

NODE_ENV=production
CORS_ORIGINS=https://yourdomain.com,https://api.yourdomain.com
AUTH_SECRET=<generate-strong-secret>
JWT_SECRET=<generate-strong-secret>
MOLTBOOK_WEBHOOK_SECRET=<shared-with-moltbook>
RATE_LIMIT_MAX_REQUESTS=100
RATE_LIMIT_WINDOW_MS=60000

Found a vulnerability? Please email security@agentavatar.com (or DM the maintainers).

Do not open public GitHub issues for security vulnerabilities.