security

ClawEngine is built with security as a core design principle.

Authentication Security

Password hashing: All passwords are hashed with scrypt — a memory-hard key derivation function — with unique random 16-byte salts. Plaintext passwords are never stored or logged.

Session management: Sessions use HTTP-only cookies with sameSite: lax and configurable secrets. Session data is stored server-side.

Password stripping: The password field is removed from every API response before it reaches the client. Your password hash never leaves the server.

Rate Limiting

Authentication endpoints (/api/auth/login and /api/auth/register) are protected by an in-process rate limiter:

10 requests per IP address per 15-minute window
Exceeding the limit returns HTTP 429 with a Retry-After header
The window resets automatically

Bot Protection

Registration and login forms are protected by Cloudflare Turnstile — a privacy-preserving CAPTCHA alternative. Turnstile tokens are validated server-side when configured.

Resource Authorization

All API operations verify resource ownership before allowing access. You can only read, modify, or delete resources (agents, connectors, tools, triggers, exports) that belong to your account.

Input Validation

All resource IDs are validated as proper UUIDs before database queries
Request bodies are validated with Zod schemas before processing
Wallet addresses are format-checked before database lookups

On-Chain Payments

Agent export payments are standard Solana SPL token transfers. The client verifies sufficient balance before initiating, waits for on-chain confirmed finality, and all transactions are publicly verifiable on Solscan.

Previousaudit log Nextsettings

Was this helpful?

Good morning

hashtagAuthentication Security

hashtagRate Limiting

hashtagBot Protection

hashtagResource Authorization

hashtagInput Validation