Skip to main content
AgentFramer
Sec v1.2.0

SECURITY
ARCHITECTURE.

Your AI agents run autonomously. That means the credentials, generated assets, and workspace data they interact with must be protected carefully. Here is how we secure the infrastructure.

01

Infrastructure Security

Global Edge

AgentFramer runs on Cloudflare Workers, deployed across 300+ edge locations. All traffic is protected by Cloudflare DDoS mitigation and WAF.

Data Storage

Persistent data is stored in isolated, encrypted databases. Media assets are stored in Cloudflare R2 with private access controls.

TLS Everywhere

All communication between agents, our API, and generation providers is encrypted in transit using TLS 1.2 or higher.

CLOUDFLARE_WORKERSCLOUDFLARE_R2TLS_1.3DDoS_MITIGATIONWAF_ENABLED
02

Authentication & Access

#01
Secure Sessions
Authentication uses Better Auth with cryptographically signed session tokens. Sessions expire automatically and are invalidated on logout.
#02
OAuth Provider
Google OAuth sign-in is supported. We never store OAuth provider passwords, only scoped access tokens needed for authentication.
#03
API Keys
API keys are hashed before storage. A compromised key can be revoked instantly from your dashboard without affecting other active keys.
#04
Workspace Isolation
Each workspace is strictly isolated. Members can only access resources within workspaces they have been explicitly invited to.
03

AI Provider Credentials

Encrypted at Rest

Provider credentials are stored encrypted at rest and never exposed in API responses or logs.

Least Privilege

AgentFramer requests only the permissions required to dispatch generation jobs. No unnecessary scopes are ever requested.

Credentials are never logged, indexed, or returned in any API response.
04

Operational Security

Rate Limiting

All API endpoints are rate-limited via Upstash Redis to prevent abuse. Agents that exceed limits receive structured errors.

Dependencies

Dependencies are kept up to date and monitored for known vulnerabilities. Critical patches are applied promptly.

Access Controls

Internal access to production systems is restricted to authorized team members using short-lived credentials.

Error Monitoring

Application errors are captured with PII scrubbing enabled. No sensitive user data or credentials in logs.

05

Vulnerability Disclosure

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. Do not open a public GitHub issue for security matters. We will respond within 48 hours.

  • Describe the vulnerability clearly
  • Include reproduction steps
  • We will confirm receipt within 48h
  • We keep reporters informed throughout
Contact

Security reports and general security questions go to our security team.

security@agentframer.com