Security Model

Organisation Isolation

All resources are organisation-scoped. An API key can only access resources belonging to its organisation. Cross-org requests return 403 or 404 — there is no way to read another organisation's agents, campaigns, or call data.

Enforcement is at the database level — every query is filtered by organization_id before any result is returned.

Credential Security

• Webhook credentials and API keys are stored hashed or encrypted — secrets cannot be recovered
• Credential values are resolved at call time and are never included in workflow definitions, API responses, or logs
• list_credentials and GET /credentials/{uuid} return metadata only — never secret values

API Key Security

• Raw key values are returned exactly once (at creation) and cannot be recovered
• Keys are validated with constant-time comparison to prevent timing attacks
• last_used_at is tracked per key — use this for access auditing
• Archived keys fail immediately (401) — reactivate to restore access without losing history