alezmad/claudemesh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ae6a86bf6a6f37b171357df99fbdaf921908d4c
claudemesh/.context/turbostarter-framework-context/sections/ai/docs/security.md
Alejandro Gutiérrez d3163a5bff feat(db): mesh data model — meshes, members, invites, audit log 
- pgSchema "mesh" with 4 tables isolating the peer mesh domain
- Enums: visibility, transport, tier, role
- audit_log is metadata-only (E2E encryption enforced at broker/client)
- Cascade on mesh delete, soft-delete via archivedAt/revokedAt

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 21:19:32 +01:00

58 lines
3.0 KiB
Markdown
Raw Blame History

---
title: Security
description: Learn about the security measures implemented in TurboStarter AI.
url: /ai/docs/security
---
# Security
<Callout>
Remember to regularly review your security implementations and update them as needed.
</Callout>
The starter kit incorporates several security measures to protect your application and users when interacting with AI services.
## Authenticated endpoints
All AI operation endpoints require user authentication. This is enforced through middleware that verifies the user's session before granting access to any AI features.
<Card title="Authentication" href="/ai/docs/auth" description="Learn more about the authentication setup in TurboStarter AI." />
The system creates anonymous sessions by default, but you can implement stronger authentication using the core framework's capabilities or the dedicated [authentication setup](/docs/web/auth/overview).
## Credit-based access
To prevent AI resource abuse, TurboStarter AI includes a credit-based system. Users receive a limited number of credits that are consumed when using AI features.
<Card title="Billing" href="/ai/docs/billing" description="Learn more about the billing and credits system." />
This approach avoids misuse while enabling potential monetization. Learn about the implementation details in the [Core billing documentation](/docs/web/billing/overview).
## Rate limiting
API endpoints are guarded by rate limiting to prevent abuse and ensure fair usage. This protects your application from potential denial-of-service attacks and excessive request volumes.
<Card title="API" href="/ai/docs/api" description="Learn more about the API layer and services in TurboStarter AI." />
We use [`hono-rate-limiter`](https://github.com/rhinobase/hono-rate-limiter), which supports various storage options including [Redis](https://redis.io/), [Cloudflare KV](https://developers.cloudflare.com/workers/runtime-apis/kv/), and [Memcached](https://memcached.org/) for distributed rate limiting.
## Secure API key handling
Sensitive API keys for AI providers ([OpenAI](/ai/docs/openai), [Anthropic](/ai/docs/anthropic), [Google AI](/ai/docs/google), etc.) are managed exclusively on the backend.
They are **NEVER** exposed to client-side code, dramatically reducing the risk of key leakage or unauthorized usage.
## AI service abuse protection
While TurboStarter AI provides application-level safeguards like credit limits and rate limiting, it's essential to implement additional protection directly with your AI providers.
<Callout type="warn" title="Set limits and alerts">
Always configure spending limits, usage quotas, and monitoring alerts in your
AI provider dashboards (e.g., [OpenAI](/ai/docs/openai),
[Anthropic](/ai/docs/anthropic), [Google AI](/ai/docs/google)). These serve as
critical safety nets against unexpected costs or potential abuse that might
bypass your application-level controls.
</Callout>
By combining application-level security with provider-level controls, you'll build truly robust and secure AI applications.
Reference in New Issue View Git Blame Copy Permalink