MyApi MyApi Join beta
SECURITY

How MyApi protects your credentials.

MyApi exists because handing an AI agent your real passwords is a bad idea. This page states exactly what we do — algorithms, key handling, logging, and the honest current state of compliance — so you can evaluate it like an engineer, not a marketing reader.

Encryption & key management

The sealed-vault guarantee

Agents never receive provider credentials — under any scope. An agent holds only a MyApi scoped token (or an Ed25519 device keypair). When it calls a service, MyApi decrypts the stored credential server-side, signs the outbound request, and returns the result. There is no API through which an agent can read a raw OAuth token or API key belonging to a connected service. Revealing a vault secret to a human owner in the dashboard is a separate, audited action on its own endpoint.

Access control

Audit logging

Prompt-injection defense

Content that flows back through the gateway toward an agent (emails, documents, web content) is scanned by a dedicated classifier sidecar for prompt-injection payloads. Flagged events raise an alert in the security hub and notify the owner by email. This is defense-in-depth on top of scoping: even a successfully hijacked agent can only act within the scopes you granted it.

Your data

Compliance, honestly

MyApi is in open beta and is not yet SOC 2 or ISO 27001 certified. The controls above (encryption, scoped access, full audit trail, export/deletion) are built to the standards those audits assess, and formal certification is planned as the platform exits beta. If your evaluation needs specifics we haven't published, ask us directly on Discord — we'd rather answer precisely than imply.

Reporting a vulnerability

Found something? Please report it privately via Discord (DM a maintainer) or through the contact on our GitHub repository. We commit to acknowledging reports quickly and crediting reporters who wish to be named.