How krabs protects your data.

TLS 1.3 everywhere. HSTS preloaded across every subdomain. Bearer tokens are stripped from request logs before they hit disk.

Tokens and PII are encrypted at the column level. Storage is SQLite via libSQL/Turso with per-tenant database isolation — your rows live in a database other tenants cannot reach.

Clerk handles human auth. Agents authenticate with bearer keys. Keys are shown once at creation and stored hashed at rest — if you lose one, you rotate, you don't recover.

Every mutation lands in an append-only log keyed by account. Each entry carries:

• ●request_id — the originating call
• ●agent_id — when an agent made the call
• ●idempotency_key — to collapse retries
• ●undo_token — for destructive ops

Email security@krabs.dev. PGP key available on request. We acknowledge inbound reports within 24 hours and aim to ship a fix or mitigation within seven days for high-severity issues.