Security
Last updated: April 2026
Security is foundational to AgentFramer. Your AI agents run autonomously. That means the credentials, generated assets, and workspace data they interact with must be protected carefully. Here is how we do it.
Infrastructure Security
Cloudflare Workers
AgentFramer runs on Cloudflare Workers, deployed globally across 300+ edge locations. All traffic is protected by Cloudflare's DDoS mitigation and Web Application Firewall.
Data Storage
Persistent data is stored in isolated, encrypted databases. Generated media assets are stored in Cloudflare R2 with private access controls. Files are not publicly guessable.
TLS Everywhere
All communication between your AI agents, our API, and downstream generation providers is encrypted in transit using TLS 1.2 or higher.
Authentication & Access
Secure Sessions
Authentication is handled by Better Auth with cryptographically signed session tokens. Sessions expire automatically and are invalidated on logout.
OAuth Providers
You can sign in with Google or GitHub OAuth. We never store your OAuth provider passwords. We store only scoped access tokens needed for authentication.
API Keys
API keys issued to your AI agents are hashed before storage. A compromised key can be revoked instantly from your dashboard without affecting other keys.
Workspace Isolation
Each workspace is strictly isolated. Members can only access resources within workspaces they have been explicitly invited to.
AI Provider Credentials
Credential Handling
Any credentials you configure for AI generation providers (e.g. Runware) are stored encrypted at rest and are never exposed in API responses or logs.
Least Privilege
AgentFramer requests only the permissions required to dispatch generation jobs on your behalf. We do not request unnecessary scopes.
Operational Security
Rate Limiting
All API endpoints are rate-limited via Upstash Redis to prevent abuse. Agents that exceed limits receive structured errors, not silent failures.
Dependency Management
We keep dependencies up to date and monitor for known vulnerabilities. Critical security patches are applied promptly.
Access Controls
Internal access to production systems is restricted to authorized team members using short-lived credentials. No standing access to production data.
Error Monitoring
Application errors are captured via Sentry with PII scrubbing enabled. We do not log sensitive user data or credentials in error reports.
Reporting a Vulnerability
If you discover a security vulnerability in AgentFramer, please report it responsibly. Do not open a public GitHub issue for security matters.
Email us at security@agentframer.com with a description of the issue and steps to reproduce. We will respond within 48 hours and keep you informed as we work on a fix.
Questions?
For general security questions, reach us at security@agentframer.com.