Security

Key Handling

• New keys use 256-bit random entropy with an sb_ prefix.
• Only a hash of the key is stored by Signal Bench.
• The raw key is displayed once during creation or regeneration.
• Dashboard metadata shows only the key hint, tier, and creation date.
• Key management responses are sent with no-store cache headers.

Access Control

• API routes require x-api-key authentication when auth is enabled.
• Tier gates restrict higher-value endpoints to Standard or Premium keys.
• Per-minute rate limits are enforced by tier.
• Usage events are logged by key id for operational visibility.

Your Responsibility

API keys are bearer credentials. Keep them out of source control, client-side bundles, public notebooks, screenshots, and shared chat logs. Rotate immediately if a key may be exposed.