Skip to content

Security

API Key Handling

  • external requests authenticate only through X-API-Key
  • keys supplied in query parameters are rejected with 400
  • plaintext keys are stored as SHA-256 hashes
  • a short prefix is retained for identification and audit

Scope and Network Controls

  • public route authorization is scope-based
  • IP allowlisting is enforced when a key has allowed_cidrs
  • revoked, expired, and invalid keys fail closed with 401

Request Auditing

Every /api/v1/ext/* request receives an X-Request-Id response header. When audit logging is enabled and the DB pool is available, the gateway persists request metadata including:

  • request ID
  • API key identifier metadata
  • method and path
  • query parameters
  • status code
  • latency
  • client IP
  • user agent

Webhook Signing

Webhook payloads use HMAC SHA-256 over "{timestamp}.{payload}" and include replay-window verification guidance with a 5-minute tolerance.

CORS

The FastAPI app uses an explicit allowlist from application settings rather than reflecting arbitrary origins.

Admin Surface

Admin gateway routes are intentionally hidden from the public OpenAPI schema and are protected separately with a bearer admin secret.

Disclosure

Report security issues to security@tanfi.ai.