Security

Rate limiting

API routes are rate-limited to 60 requests per minute per IP via Cloudflare. Credential and email-sending auth endpoints use a stricter limit of 10 requests per minute. SCIM endpoints are keyed by Bearer token instead of IP, so identity-provider directory syncs don't compete with other traffic from shared egress IPs. Exceeding a limit returns 429.

Security headers

HeaderValue
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff
Strict-Transport-Securitymax-age=63072000; includeSubDomains
Referrer-Policystrict-origin-when-cross-origin
X-DNS-Prefetch-Controloff

Authentication security

API tokens are generated with 256-bit entropy and stored as SHA-256 hashes — the plaintext is shown once and never persisted. SCIM tokens are likewise stored hashed. CLI device codes expire after 10 minutes. CI/CD OIDC tokens are verified against the provider's published signing keys (issuer, audience, and expiry checked) and exchanged tokens live for 1 hour.

Content limits

ResourceLimit
Skill content (text)512 KB
Organization description / user bio10 KB
Package skill (compressed)100 MB
Package skill (uncompressed)100 MB
Package skill file count500 files
Skill name1–100 chars
Organization name2–50 chars
Username2–39 chars
Custom role name2–40 chars
API tokens per user25
Anonymous shared skills10 per identity
Security — localskills.sh docs