Every project runs in its own isolated container with a separate filesystem, network, and process space. No project can access another project’s code, data, or environment — even if they belong to the same user.
Your API keys and environment variables are encrypted at rest. Secrets are only decrypted server-side at the moment your container starts — they’re injected directly into the runtime environment and never pass through the browser. The Aurora dashboard only shows whether a secret exists, never its value.
Every API request is authenticated using JWTs verified against a published JWKS (JSON Web Key Set) endpoint. Tokens are validated using ES256 signing, and any expired, tampered, or invalid token is rejected immediately. There are no backdoors or shared keys.
Share links generate a cryptographically unique token tied to a single project. Recipients receive a short-lived access token that expires automatically. You can revoke any share link instantly, and revoked links cannot be reused.
Sensitive endpoints — including authentication, chat, and secrets management — are rate-limited per client to prevent abuse and brute-force attempts. Exceeding limits triggers automatic blocking with clear cooldown periods.
API access is locked down to approved Aurora domains. Requests from unauthorized origins are rejected outright, preventing cross-site attacks from reaching your data.
