Hosted security posture

Sage Router Security

Effective June 19, 2026. This page summarizes the public security boundary for the hosted Sage Router web app, public API edge, generated customer keys, customer analytics, and future managed provider access.

Public Edge Boundary

The hosted public API edge at https://api.sagerouter.dev is API-only. Browser login and dashboards live on https://app.sagerouter.dev. Anonymous model and analytics requests fail closed with setup-safe onboarding guidance instead of provider access.

Authentication

  • /v1/* and /v1beta/* model routes require an active generated sk_sage_* customer API key.
  • Generated keys are hashed at rest, shown once, revocable from the account page, and rechecked on the next request by default.
  • Account and billing UI routes require a valid Supabase user JWT and are routed to the hosted control plane.
  • /analytics, /analytics/funnel, setup, admin, discovery, and dashboard config routes require the private operator token.

Provider Credential Custody

Sage Router is local-first by default. Provider credentials, OAuth profiles, local model access, Tailnet hosts, and private router tokens should stay on customer-controlled machines or private infrastructure unless a separate written managed-access arrangement exists.

Rate Limits and Quotas

Generated-key traffic is rate-limited at the public edge and can be counted against durable monthly Supabase quotas. Quota or auth infrastructure failures are designed to fail closed rather than silently bypass billing and abuse controls.

Analytics Privacy

Launch analytics are privacy-safe operational telemetry. They should not expose prompt bodies, message bodies, raw provider responses, plaintext API keys, provider credentials, OAuth tokens, or customer email addresses in operator analytics responses. Customer dashboards use /account/analytics, scoped to the signed-in account.

Managed Provider Access

Managed provider access is not active in public plans. Activation requires provider resale terms, provider terms acknowledgment, an authorized provider allowlist, a configured provider cost model, plan-margin unit-economics checks, a margin policy, durable quotas, request-per-minute limits, generated-key revocation, billing controls, durable operator audit events, abuse controls, and managed-access acceptable-use enforcement. Public readiness may expose cost-model status and per-plan margin state, but never provider credentials, actual provider costs, prompts, or raw responses.

Operational Checks

Launch readiness verifies public edge health, Supabase auth mode, rate limits, durable quotas, anonymous auth gating, API-only browser boundaries, direct-origin auth gates, hosted security headers, Stripe webhook signature checks, and public legal/security pages before the hosted service is treated as launchable.

Reporting

Report security issues through GitHub private security advisories or the support path published by the project. Do not post secrets, provider keys, OAuth tokens, raw prompts, or customer data in public issues.