Security & Compliance

  • HTTPS required: All production traffic must be encrypted. Follow TLS best practices.

  • Callback signatures: Use HMAC-SHA256 or public‑key signatures; include timestamp and replay protection.

  • Least privilege / minimal storage: Do not hold user private keys or sensitive credentials unless explicitly authorized.

  • Data compliance: Clearly state if you store PII; if you do, encrypt storage and enforce retention limits.

  • Idempotency: All write operations should include an idempotency_key.

  • Auditing: Log X-Request-Id, timestamps, and redacted results; align logs with Chronicle when applicable.

  • High‑risk capabilities: Any functions touching funds, live trading, or permission changes require multisig, allowlists, or human approval, and must provide audit documentation.

  • Identity & access (roadmap): Agent ID will be used to bind capabilities and permissions—please indicate this need on the form.

PreviousExample Use CasesNextSupport & Next Steps

Last updated