Security

Last updated: April 10, 2026 · Operated by Vector Apps Inc.

Every security claim on this page is backed by code you can read in our open source repository. We do not make claims we cannot verify.

Webhook Signing

Every webhook delivery is signed with HMAC-SHA256 using a per-account webhook secret. The signed content is {timestamp}.{json_payload}. The signature is sent as X-CueAPI-Signature: v1={{hex_digest}}. Constant-time comparison prevents timing attacks.

Replay Protection

Every delivery includes an X-CueAPI-Timestamp header with a Unix epoch value. Signatures older than 5 minutes (300 seconds) should be rejected by your handler. This prevents replay attacks where an attacker captures and resends a valid signed request.

API Key Security

API keys are hashed with SHA-256 before storage. The plaintext key is shown once at creation and never stored. If you lose your key, regenerate it — the old key is immediately invalidated. Key prefixes (first 12 characters) are stored separately for identification without exposing the full key.

SSRF Protection

Every callback URL is validated before delivery. DNS resolution is checked at delivery time, not just at registration. Requests to the following 11 IP ranges are blocked:

127.0.0.0/8      Loopback
10.0.0.0/8       Private network
172.16.0.0/12    Private network
192.168.0.0/16   Private network
169.254.0.0/16   Link-local / cloud metadata
0.0.0.0/8        Unspecified
100.64.0.0/10    Carrier-grade NAT
198.18.0.0/15    Benchmarking
::1/128          IPv6 loopback
fc00::/7         IPv6 private
fe80::/10        IPv6 link-local

Blocked hostnames: localhost, metadata.google.internal, metadata.internal

HTTPS Only

All API traffic is encrypted in transit. Callback URLs must use HTTPS in production. HTTP endpoints are rejected at registration and at delivery time.

Rate Limiting

Rate limits use a sliding window per API key. Free: 60 req/min. Pro: 200 req/min. Scale: 500 req/min. Responses include standard rate limit headers. Exceeded limits return HTTP 429 with a Retry-After header.

Tenant Isolation

All resources are scoped by authenticated user. No cross-tenant data access. Cues, executions, alerts, workers, and billing are isolated per account.

Account Deletion

When you request account deletion, a 24-hour grace period begins. After the grace period, all data is permanently deleted across all database tables in a specific cascade order. An audit record is retained with one-way SHA-256 hashes only — no reversible personal data.

Infrastructure

CueAPI runs on Railway with isolated environments for staging and production. Database credentials, API keys, and webhook secrets are stored as environment variables — never in code, never in logs (except email addresses in one error path, which is being addressed). All services communicate over private networks. The public API is the only internet-facing endpoint.

Data is stored in Railway's US region. For a full list of infrastructure providers, see our Sub-Processor Disclosure Page.

Dependency Security

Dependencies are pinned to specific versions. All GitHub Actions are pinned to commit SHAs to prevent supply chain attacks. The full dependency tree is auditable in the open source repository.

Security Testing

Our codebase has been tested with 50+ security-specific test cases (out of 600+ total automated tests) covering SSRF bypass vectors (including IPv6, DNS rebinding, cloud metadata), authentication, cross-tenant isolation, input validation, rate limiting, and information disclosure. These tests were run internally — CueAPI has not undergone a paid, third-party security audit or SOC 2 certification.

HTTP Security Headers

All public surfaces (API, marketing site, dashboard, documentation) return the following security headers:

  • Strict-Transport-Security — HSTS with long max-age
  • Content-Security-Policy — restricts resource loading origins
  • X-Frame-Options — prevents clickjacking
  • X-Content-Type-Options — prevents MIME-type sniffing
  • Referrer-Policy — controls referrer information
  • Permissions-Policy — disables unnecessary browser APIs

Verifiable: run curl -sI https://cueapi.ai to inspect headers yourself.

Open Source

Every line of security code is open source. Do not trust us — read it yourself.

github.com/cueapi/cueapi-core

Responsible Disclosure

Found a vulnerability? Email [email protected]. Include a description, steps to reproduce, and potential impact.

Response timeline

  • Acknowledge receipt: within 72 hours
  • Initial triage and severity assessment: within 7 days
  • Status update on fix timeline: within 14 days

Scope

In scope: api.cueapi.ai, cueapi.ai, docs.cueapi.ai, blog.cueapi.ai, dashboard.cueapi.ai, and the open source codebase.

Out of scope

  • Social engineering against employees or users
  • Physical attacks against infrastructure
  • Denial-of-service attacks against production systems
  • Attacks against third-party services we integrate with

What we ask

  • Do not access, modify, or delete other users' data
  • Do not disrupt service for other users
  • Use test accounts you control
  • Do not use automated scanning tools against production without prior coordination

Disclosure timing

We will make every reasonable effort to fix critical issues within 90 days. For complex vulnerabilities, researchers and Vector Apps Inc. will agree on disclosure timing case-by-case. We commit to acknowledging reports within 72 hours and providing a triage assessment within 7 days.

Recognition

We do not currently offer a paid bug bounty. We will credit researchers who report responsibly (with permission), provide a letter of acknowledgment on request, and will not pursue legal action against good-faith security research that follows these rules.

Machine-readable disclosure info: /.well-known/security.txt (RFC 9116).

Related

CueAPI coordination infrastructure logo

Start coordinating.

pip install cueapi. First cue in 60 seconds. Free forever to start.

Get API key free →Read the docs →
How do I know if my agent ran successfully?
Ctrl+K