ESC
Security

Security at Toolkit API

We take a privacy-first, minimal-footprint approach to security. Here’s how we protect your data at every layer.

🔒

Transport Security

All API traffic and website connections are encrypted with TLS 1.2+ (HTTPS). Plain HTTP requests are automatically redirected to HTTPS. We enforce HSTS headers to prevent downgrade attacks.

🔑

Authentication

Every API request requires a valid API key passed via the X-API-Key header. Keys are provisioned and managed through RapidAPI, which handles credential rotation, plan enforcement, and rate limiting.

We never store API keys in our application databases. Authentication is verified at the gateway layer before any request reaches our application code.

Stateless Processing

Almost all of our 13 API toolkits are fully stateless — requests are processed in-memory and discarded immediately after the response is sent. A small number of endpoints (such as PDF merging or image pipelines) need to persist a file briefly to complete the job; those files are automatically deleted within 24 hours.

  • No databases storing user-submitted data
  • Temporary files deleted automatically within 24 hours
  • No session state between requests
  • No request payload logging
🏗️

Service Isolation

Each of the 13 API toolkits runs as a fully independent service with its own network boundary and resource limits. Services have no access to each other’s data or processes.

A vulnerability or outage in one toolkit cannot affect others. Each service is updated and deployed independently, minimising blast radius.

🛡️

Privacy by Design

Our sites set zero tracking cookies and run no user-fingerprinting or behavioural tracking scripts. We do not sell data or share usage information with third parties. See our Privacy Policy for full details.

🚦

Rate Limiting & Abuse Prevention

All API endpoints enforce per-key rate limits communicated via standard X-RateLimit-* headers. Excessive or abusive traffic is automatically throttled at the gateway layer to protect service availability for all users.

🔍

Dependency & Code Security

All services run on pinned, audited dependencies. Base images are rebuilt regularly to pick up security patches. Every deployment runs a comprehensive integration test suite before traffic is switched over.

📧

Reporting a Vulnerability

If you discover a security issue, please report it responsibly to [email protected]. We'll acknowledge receipt within 24 hours and aim to resolve confirmed vulnerabilities promptly.