Security & Trust

Your API Keys Are Safe With Us.

Orbiton never stores your raw API keys. Every secret is encrypted, every access is logged, and every mutation is role-guarded. Here is exactly how we protect your data.

Key Protection

How Your API Keys Are Stored

Your provider API keys (OpenAI, Anthropic, etc.) are encrypted the moment they enter our system. They are only decrypted server-side, in memory, for the duration of a single proxy request.

Cloud Mode

Supabase managed encryption
  • Supabase Vault encrypts secrets at rest
  • TLS 1.3 in transit to database
  • Keys never sent to the browser
  • Server-only decryption in API routes
  • Row-level security via org scoping

Self-Hosted Mode

AES-256-GCM encryption
  • AES-256-GCM authenticated encryption
  • PBKDF2 key derivation (100,000 iterations, SHA-256)
  • Unique random IV per encryption operation
  • Authentication tag prevents tampering
  • Encryption secret never leaves your server

Self-Hosted Encrypted Format

base64(IV) : base64(authTag) : base64(ciphertext)

Each encrypted value includes a random initialization vector and authentication tag, making every encryption unique even for the same input.

Virtual Keys

Your Apps Never See Real API Keys

Instead of passing real provider keys to your agents, Orbiton issues virtual keys that act as secure proxies.

SHA-256 Hashed

Virtual keys are stored as one-way SHA-256 hashes. Even if the database is compromised, the original key cannot be recovered.

Shown Once

The full virtual key is displayed exactly once after creation. After that, only the prefix (orb_live_...) is visible in the UI.

Instant Revocation

Every virtual key has a kill switch. Deactivate it instantly from the dashboard — no redeployment needed, no waiting.

Proxy Security

Every Request Passes 7 Security Checks

Before any API call reaches a provider, it must pass through our multi-layer validation pipeline.

01

Key Authentication

Virtual key extracted from Authorization header and verified against SHA-256 hash in the database.

02

Kill Switch Check

If the key has been deactivated via the dashboard, the request is rejected immediately with 403.

03

Expiry Validation

Keys with expiration dates are checked. Expired keys cannot make any further requests.

04

Budget Enforcement

Monthly spend is calculated against the key's budget cap. Over-budget keys are blocked before the request reaches the provider.

05

Rate Limiting

Per-key RPM limits enforced via token bucket algorithm. Org-level RPM caps based on plan tier. Headers returned: X-RateLimit-Limit, Remaining, Reset.

06

Server-Side Decrypt

Real provider API key decrypted in memory only for the duration of the forwarding request. Never cached, never logged.

07

Forward & Log

Request forwarded to the provider with real credentials. Usage logged asynchronously. Provider response returned unmodified.

Access Control

Authentication & Authorization

Multi-layer access control ensures only the right people can see and modify your resources.

Auth.js v5 Sessions

JWT-based session management with bcrypt password hashing. Optional OAuth (GitHub, Google). Middleware protects all dashboard routes.

Role-Based Access Control

Three-tier hierarchy: Owner > Admin > Member. Sensitive operations (credentials, invites, billing) require admin role. Owner cannot be removed.

Organization Scoping

Every query is scoped to the current organization. Users can only see and manage data belonging to their org. No cross-tenant data leakage.

SSRF Protection

Health check URLs are validated against private IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, ::1). Only HTTPS URLs are accepted for external checks.

Infrastructure

Defense in Depth

Multiple layers of protection at the infrastructure and application level.

Security Headers

7 Headers

CSP, HSTS, X-Frame-Options, X-Content-Type, Referrer-Policy, Permissions-Policy, X-XSS-Protection

Webhook Signing

HMAC-SHA256

X-Orbiton-Signature header on all webhook deliveries

Rate Limiting

Dual Backend

In-memory for self-hosted, Upstash Redis for serverless

Error Handling

Zero Leakage

Generic errors to clients, detailed logs server-side only

CORS

Configurable

CORS_ALLOWED_ORIGINS env var for production origin control

Stripe Webhooks

Verified

Official Stripe SDK signature verification on all events

Input Validation

Defense Layer

Email format, password strength, URL length limits, private IP blocking

Environment

Server-Only

No NEXT_PUBLIC_ secrets. All sensitive vars are server-only

Test Coverage

147+ Tests

Crypto, RBAC, rate limiting, proxy, security hardening, and more

Our Commitments

What We Never Do

Security is as much about what you don't do as what you do.

Never store raw API keys

Provider keys are encrypted at rest immediately. Virtual keys are SHA-256 hashed. No plaintext keys anywhere in the database.

Never send keys to the browser

All provider credentials are decrypted server-side only. Client components never receive or handle real API keys.

Never log sensitive data

API keys, passwords, and tokens are excluded from all logs. Error messages are generic on the client, detailed only in server logs.

Never modify your AI responses

The proxy forwards your requests and returns provider responses unmodified. No injection, no filtering, no data collection on content.

Self-Hosted

Want Full Control? Host It Yourself

Self-hosted Orbiton gives you 100% data sovereignty. Your keys, your server, your encryption secret.

Docker Compose Deployment

  • Your ENCRYPTION_SECRET never leaves your machine
  • Database runs on your network (PostgreSQL)
  • No data sent to Orbiton servers
  • Enterprise-tier features included by default
  • CORS restricted to your origins only

Quick Start

git clone https://github.com/your-org/orbiton
cd orbiton
cp .env.example .env.local
# Set DEPLOYMENT_MODE=self-hosted
# Set ENCRYPTION_SECRET (64 hex chars)
docker compose up -d

Security you can verify

Have questions about our security practices? Read our docs, review the source code, or self-host and audit everything yourself.