Security
Rate limiting
API routes are rate-limited to 60 requests per minute per IP via Cloudflare. Credential and email-sending auth endpoints use a stricter limit of 10 requests per minute. SCIM endpoints are keyed by Bearer token instead of IP, so identity-provider directory syncs don't compete with other traffic from shared egress IPs. Exceeding a limit returns 429.
Security headers
| Header | Value |
|---|---|
X-Frame-Options | DENY |
X-Content-Type-Options | nosniff |
Strict-Transport-Security | max-age=63072000; includeSubDomains |
Referrer-Policy | strict-origin-when-cross-origin |
X-DNS-Prefetch-Control | off |
Authentication security
API tokens are generated with 256-bit entropy and stored as SHA-256 hashes — the plaintext is shown once and never persisted. SCIM tokens are likewise stored hashed. CLI device codes expire after 10 minutes. CI/CD OIDC tokens are verified against the provider's published signing keys (issuer, audience, and expiry checked) and exchanged tokens live for 1 hour.
Content limits
| Resource | Limit |
|---|---|
Skill content (text) | 512 KB |
Organization description / user bio | 10 KB |
Package skill (compressed) | 100 MB |
Package skill (uncompressed) | 100 MB |
Package skill file count | 500 files |
Skill name | 1–100 chars |
Organization name | 2–50 chars |
Username | 2–39 chars |
Custom role name | 2–40 chars |
API tokens per user | 25 |
Anonymous shared skills | 10 per identity |