Security

Security design goals

• Durable AI identity issuance with registry-backed TMIDs.
• Tenant-specific control over agent operating status and API access.
• Restricted admin operations protected by authenticated server-side checks.
• Audit visibility for create, change, kill-switch, and delete actions.

Platform controls

• Admin sessions are validated through Firebase-backed server verification.
• Write operations are validated before records are created or changed.
• Verification endpoints are rate limited to reduce abuse.
• Public responses are intentionally scoped to registry data, not private admin credentials.

Operational expectations

Operators and tenants remain responsible for securing their own connected runtimes, key management, deployment environments, and enforcement layers. Registry status should be treated as one control inside a broader security program.

Responsible disclosure

If you identify a potential security issue, please use the contact page and include enough detail for us to reproduce the issue, assess impact, and respond quickly.