Security in plain language

This page explains the main safety rules for Agentheaven services.

HTTPS only

• Use only encrypted HTTPS URLs for API calls in production.
• Do not send API keys over plain HTTP.

No local machine permissions needed

• The APIs do not need access to your local files, camera, or microphone.
• You only send request data and receive JSON responses.

Rate limits

• Each API key has request limits per minute.
• Public billing and webhook routes also have limits to reduce abuse.

Logging rules

• Keep logs short and operational.
• Do not write full secrets or full API keys into logs.
• Do not store personal data unless it is required for billing or support.

Key rotation

• Create a new API key regularly or immediately after any suspected leak.
• Revoke old keys after clients switch to the new key.
• Store keys in a password manager or secret vault, not in chat messages.

Discovery links: /pricing.json · /llms.txt