Security and Operations
Commercial API platforms must protect secrets, money, and customer trust. This page describes the minimum operating model for OpenEdge.
Secret Management
Current requirements:
- API keys are shown once.
- API key lookup uses hashes.
- Third-party provider keys are encrypted.
- Secrets are not written to source code, logs, or D1 as plaintext.
Provider and bot credentials use:
CONFIG_ENCRYPTION_KEYRecommended properties:
- At least 32 random bytes.
- Stored as a Cloudflare secret.
- Never committed to git.
- Supports future key rotation with versioned encrypted values such as
enc:v1:....
Logging Policy
Log by default:
request_iduser_idservice_idaliasprovidermodel- token usage
- status
- latency
- final cost
- error code
Do not log by default:
- API keys
- Provider keys
- Bot tokens
- Authorization headers
- Refresh tokens
- Full prompts or model responses
- Private webhook URLs
Prompt and response retention should be an explicit customer setting with a retention window.
Billing Safety
Paid services should:
- Check balance before execution.
- Write charges to
transactions. - Write refunds as separate transactions.
- Tie usage logs to request or order IDs.
- Use idempotent refund handling.
- Process stale or pending states with scheduled jobs.
High-risk scenarios:
| Scenario | Control |
|---|---|
| AI stream disconnects | Use upstream usage when available; otherwise settle from the reserved estimate. |
| Provider timeout | Refund if no value was delivered. |
| TRON provider does not fulfill | Expire order and refund. |
| Duplicate refund retry | Use request/order IDs for idempotency. |
| Price changes | Store effective pricing rules for future auditability. |
URL and SSRF Protection
External URLs such as webhook targets and AI provider base_url must be:
- HTTPS.
- Not localhost.
- Not loopback.
- Not private IPv4 ranges.
- Not link-local metadata endpoints.
- Not private IPv6 ranges.
CORS
Production console origin:
https://console.open4x.comDo not allow arbitrary browser origins for console routes.
Monitoring
Monitor at least:
- Worker error rate.
- P95/P99 latency.
- D1 query failures.
- Billing transaction failures.
- Pending refunds.
- AI provider 401/403/429/5xx.
- TRON lease timeouts.
- Rate-limit hits.
- Pages availability.
Suggested alert thresholds:
| Alert | Threshold |
|---|---|
| API 5xx | More than 1 percent for 5 minutes. |
| AI provider failures | More than 5 percent for 5 minutes. |
| Pending refunds | More than 10. |
| D1 write failures | Any repeated write failure. |
| Login failure spike | More than 100 in 10 minutes. |
Legal Documents
Before broad commercial launch, publish:
- Terms of service.
- Privacy policy.
- Acceptable use policy.
- Refund policy.
- Data processing description.
- Third-party provider disclosure.
AI-specific terms should explain BYOK responsibilities, provider data handling, prohibited uses, and whether prompt/response retention is enabled.