Security
Rate limiting
All API routes are rate-limited per IP via Cloudflare. SCIM endpoints use a higher limit keyed by Bearer token to accommodate directory sync traffic. Exceeding the rate limit returns 429.
Security headers
| Header | Value |
|---|---|
X-Frame-Options | DENY |
X-Content-Type-Options | nosniff |
Strict-Transport-Security | max-age=63072000; includeSubDomains |
Referrer-Policy | strict-origin-when-cross-origin |
X-DNS-Prefetch-Control | off |
Authentication security
API tokens are generated with 256-bit entropy and stored as SHA-256 hashes. SCIM tokens are UUID-based and SHA-256 hashed. Device codes expire after 10 minutes and are SHA-256 hashed. SAML assertion replay is prevented with a 10-minute deduplication window.
Content limits
| Resource | Limit |
|---|---|
Skill content | 512 KB |
Team description / user bio | 10 KB |
SAML metadata | 256 KB |
Skill name | 1–100 chars |
Team name | 2–50 chars |
Username | 2–39 chars |
API tokens per user | 25 |