Security & API Key Storage

Last updated: 2026-05-05

1. What you control

Every paid integration in CASH.BOT is BYOK: you bring your own Anthropic, OpenAI, Google, ElevenLabs, Stripe, Twilio, Vultr, Railway, Resend, etc. key. You can:

• See every key we hold for you on /dashboard → Settings → Keys — masked by default, full reveal on click.
• Rotate or remove any key from that screen at any time. Removal is immediate and propagates to every running tool within seconds.
• Set spend ceilings per provider — once a ceiling is hit the runtime stops calling that provider until you reset it.
• Export the full list (provider + key reference, never the key itself) as JSON or CSV.

2. How a key is stored

• At rest: per-user database row, encrypted at the application layer with AES-256-GCM using a key that lives only in the runtime environment (never checked into source).
• Scoped to your account. A row is keyed on a SHA-256 hash of your account email. Other customers’ runtimes cannot read your row.
• Never written to logs. Our log redactor strips any string matching the patterns of known key formats (sk-..., ghp_..., Bearer ..., admin-...) before lines are persisted.
• Never echoed in error messages. Provider errors are caught and rewritten to never include the request body or auth header.
• Never stored in URLs or query strings. Keys travel only in POST bodies or header values.
• Backups inherit the same encryption — we cannot read your keys from a database snapshot any more than from the live row.

3. How a key is used

• Decrypted in memory only at the moment a tool call needs it. The plaintext key is the request header on a single outbound call to the provider, then dropped.
• The provider response is yours — we forward it to you, and we keep only what you tell us to keep (e.g. a generated lead list saved to your Files surface).
• We do not multiplex your key across users. Your key handles only your traffic.
• We do not train models on your prompts or responses. We do not sell traffic data.

4. What we will NEVER do

5. Authentication & sessions

• Passwords are stored as argon2id hashes. We cannot recover a forgotten password — only reset it.
• Reset links are single-use, expire in 24 hours, and are bound to the email address on file.
• Sessions are HTTP-only cookies signed server-side. Sensitive admin actions require re-auth.
• OAuth (Google / GitHub / WhatsApp) is delegated to the provider — we never see your provider password.

6. Transport & infrastructure

• All customer traffic is served over TLS 1.3. HTTP requests are 301-redirected to HTTPS.
• Application servers run on Railway; persistent storage on Railway volumes. Database engine: SQLite with WAL.
• Customer-provisioned VPSes (BYOK Vultr) live on your Vultr account, billed to you, accessible only to you. We do not hold root credentials to your boxes.
• Internal service-to-service traffic is authenticated with rotating shared secrets that never leave Railway environment variables.

7. Disclosure & reporting

If you discover a vulnerability, please email security@cash.bot. We will acknowledge within 48 hours and aim to remediate within 7 days for high-severity reports. We do not currently run a paid bug bounty, but we credit responsible disclosures publicly with permission.

If we learn of a breach affecting your data, we will notify the affected accounts within 72 hours of confirmation, including what was accessed and what we are doing about it.

8. AI provider compliance

• Anthropic: Claude usage is on your Anthropic key, billed to your Anthropic account, subject to Anthropic’s Usage Policies. We attribute Claude where it answers user-facing chats.
• OpenAI: OpenAI usage is on your OpenAI key, billed to your OpenAI account, subject to OpenAI’s Usage Policies.
• Google AI: Gemini usage is on your Google AI key, subject to Google’s Generative AI terms.
• We do not impersonate provider brands and do not present provider models as our own. Where a model name is shown, the provider is named alongside it.