Security Model
Flarite is built on a zero-knowledge principle. We can't see your raw API tokens — ever.
Core principles
- Zero-knowledge credential storage — tokens are encrypted before storage; the encryption key is a Cloudflare Worker Secret inaccessible to our team or database.
- Tokens never leave the server unencrypted — tokens are only decrypted at the moment an API call is made, server-side in the Cloudflare Worker.
- Tokens are never sent to the AI model — the LLM sees API results, not your credentials.
- TLS 1.3 in transit — all traffic between your browser and Flarite is encrypted.
- Short-lived sessions — session tokens expire after 7 days and are cryptographically signed.
Infrastructure
Flarite's backend runs as a Cloudflare Worker — globally distributed, no persistent server to attack. The database is Cloudflare D1 (SQLite at the edge). Session state is stored in Cloudflare KV.
✨
TipBecause Flarite runs on Cloudflare's global network, there's no single data center to target. Your requests are handled by the Cloudflare PoP closest to you.
What we can and cannot see
| Data | Visible to Flarite team? |
|---|---|
| Your email address | Yes — used for account login |
| Your billing information | No — handled entirely by Stripe |
| Your raw API tokens | No — AES-256 encrypted at rest |
| Your AI prompts | Stored for billing counters only; not read by our team |
| API call results (DNS records, invoices, etc.) | No — transient, never persisted |
Password security
Account passwords are hashed with PBKDF2-SHA256 using 100,000 iterations — following OWASP's recommended settings. Raw passwords are never stored or logged.
Report a vulnerability
If you discover a security issue, please email us at [email protected] with "Security Vulnerability Report" in the subject line. We take all reports seriously and will respond within 48 hours.
See the full Security Center →