Provider keys
Provider API keys are encrypted at rest and are never returned to the browser after saving. The dashboard only shows masked previews.
Security
Controls for AI spend, keys, and operational visibility.
MeterLayer is designed as a server-side gateway: customers keep provider keys off application servers, route requests through project keys, enforce budgets, and audit AI usage without storing full prompts by default.
Project API keys
Project keys are generated with secure randomness. Only hashes and short previews are stored, and keys can be rotated from the dashboard.
Prompt handling
Full prompt logging is disabled by default. Request logs use usage, cost, latency, status, metadata, and prompt summaries unless explicit logging is enabled.
Auditability
Project changes, provider credential changes, user management actions, budget events, webhooks, smoke runs, and scheduled jobs are recorded for operational review.
Security Practices
Password hashes are stored with bcrypt.
Dashboard sessions use JWT cookies, mutation routes require CSRF protection, and password changes invalidate older sessions.
Organization roles separate owner, admin, and member permissions.
Proxy traffic is authenticated with project Bearer keys, not browser sessions.
Project budgets, allowed models, allowed providers, disabled project state, body size limits, and rate limits are enforced before provider forwarding.
Webhook endpoints reject obvious SSRF targets and sign deliveries with HMAC-SHA256.
Security headers include CSP, frame protection, nosniff, referrer policy, and HSTS in production.
Public auth flows and protected cron endpoints are rate-limited.
CSV exports neutralize spreadsheet formula prefixes.
Request retention follows the effective billing plan and operational records have configurable retention windows.
Vulnerability Reports
Report suspected vulnerabilities to support@meterlayer.io. A security contact is also published at /.well-known/security.txt.
Customer Responsibility
Keep project API keys server-side, rotate exposed keys, configure least-privilege provider keys where possible, and avoid sending regulated or secret data in prompts unless approved by your organization.
Production Readiness
The operator runbook requires passing quality gates, public smoke checks, backups, external observability, Stripe live mode, Resend domain verification, and incident procedures before paid launch.