Security Policy

1. Data Encryption

MCPist protects your sensitive information through the following measures:

• External service access tokens and OAuth credentials are encrypted with AES-256-GCM at rest
• All communications are encrypted via TLS 1.2 or higher
• Database connections are secured with SSL/TLS

2. Authentication & Authorization

We employ multi-layered authentication and authorization mechanisms:

• User authentication via Clerk with secure session management
• API keys are issued as Ed25519-signed JWTs (mpt_ prefix)
• Worker-to-Server communication uses short-lived (30s) Gateway JWTs
• Per-module and per-tool access control with daily usage limits

3. Infrastructure

The service operates on the following infrastructure:

• API Gateway: Cloudflare Workers (built-in DDoS protection and WAF)
• Backend: Render.com managed services
• Database: Supabase PostgreSQL (RLS, automatic backups)
• DNS/CDN: Cloudflare (DNSSEC enabled)

4. Vulnerability Reporting

If you discover a security vulnerability, please report it through the following channels. We appreciate responsible disclosure and will respond appropriately.

• Please use the Security Advisory feature on our GitHub repository
• To allow us time to address the issue before public disclosure, please submit vulnerability details privately

5. Logging & Monitoring

We maintain the following monitoring practices to ensure service security:

• API request access logging
• Anomalous access pattern detection
• Periodic health checks for service availability monitoring

6. Contact

For security-related inquiries, please contact us via GitHub Issues or the Security Advisory feature on our repository.