Security
Security practices in PromptRails including encryption, authentication, API key security, and access control.
Security
PromptRails is designed with security as a core concern. This page covers the encryption, authentication, authorization, and operational security measures built into the platform.
Encryption
At Rest
- Credentials are encrypted before storage and never exposed in API responses.
- Passwords are securely hashed to prevent brute-force attacks.
- Webhook trigger tokens are encrypted before storage.
- PIN codes for Agent UI deployments are hashed.
In Transit
- All API communication is encrypted via TLS.
- WebSocket connections use secure WebSocket (WSS).
Authentication
User Authentication
User authentication uses short-lived access tokens and refresh tokens. Multi-factor authentication (TOTP) is supported and can be enforced at the workspace level.
API Key Authentication
API keys provide programmatic access:
- Keys are cryptographically generated
- Only a hash is stored — the raw key is shown once at creation time
- Keys are validated on every request
API Key Security
Scopes
API keys support fine-grained scopes that follow the principle of least privilege. Always grant the minimum scopes needed for each integration. See API Keys & Scopes for the full list.
IP Restrictions
API keys can be restricted to specific IP addresses or CIDR ranges from the PromptRails dashboard when you create or edit a key.
Requests from non-allowed IPs are rejected with 403 Forbidden.
CORS Origin Restrictions
For browser-based applications, API keys can restrict which origins are allowed by configuring an origin allowlist in the dashboard.
Key Expiration
Set expiration dates on API keys to enforce rotation:
Rate Limiting
PromptRails applies rate limiting to protect against abuse. Limits vary by endpoint and plan.
Authorization
Workspace Isolation
All resources are workspace-scoped. Users can only access resources within workspaces they are members of. There is no cross-workspace data access.
Role-Based Access Control
Three workspace roles control user permissions:
| Role | Level |
|---|---|
| Owner | Full control, including workspace deletion |
| Admin | Resource and team management |
| User | Resource usage with limited management |
Credential Masking
Credential values are never returned in API responses. Only a masked version is shown:
sk-proj-abc...xyz9
The full value is only available at creation time and is encrypted immediately.
Data Retention
Deleted resources are retained for recovery and audit purposes. Historical references remain valid, and audit trails are preserved.
Best Practices
- Use API keys with the minimum required scopes
- Set IP restrictions on production API keys
- Enable MFA for all team members
- Set key expiration dates and rotate regularly
- Use CORS restrictions for browser-based integrations
Reporting Vulnerabilities
If you discover a security vulnerability, please report it to [email protected].
Related Topics
- API Keys and Scopes -- Detailed API key management
- Credentials -- Credential management
- Team and Roles -- Access control