Security Policy

When you register an API key through the Unify desktop app, the key is sent over HTTPS to our backend where it is immediately encrypted using AES-256-GCM with a server-side secret key stored as an environment variable. The resulting ciphertext is stored in the database.

The plaintext key is never written to disk, never logged, and never returned in any API response. It exists only as a local variable in server memory for the duration of the decrypt operation, which takes microseconds.

1. Proxy token is validated against the database
2. Encrypted blob is fetched from Supabase
3. Blob is decrypted to plaintext in memory (microseconds)
4. Plaintext key is used in the Authorization header of the upstream request
5. Plaintext key is garbage-collected when the request completes

The plaintext key is never logged, never returned to the caller, and never stored beyond the request lifetime. An in-memory cache stores the decrypted key for up to 5 minutes to reduce database round-trips — this cache exists only in the Node.js process memory, not on disk.

• All traffic is served over HTTPS/TLS 1.3 via Vercel's edge network
• HSTS is enforced on all production endpoints
• Proxy token authentication uses Bearer token in the Authorization header
• Dashboard sessions use HS256 JWTs with a 7-day expiry
• All API routes require authentication via the proxy middleware

IP blocks configured in the dashboard are enforced on every proxy request, checked against the database before any key decryption or upstream forwarding occurs. A blocked IP receives a 403 response and the request is never forwarded to the upstream provider.

Spend limits are enforced at the proxy level. When a proxy token has exceeded its configuredblock_at_usd threshold, all further requests are rejected with a 429 before the key is decrypted or the upstream is called.

• Row-level security (RLS) is enabled on all tables
• Only service-role credentials can read or write data
• Passwords are stored as bcrypt hashes (cost factor 10)
• No plaintext secrets are stored in the database

If you discover a security vulnerability in Unify, please report it responsibly by emailing security@unify.app. Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 14 days. We appreciate the security research community's help in keeping Unify safe.