The boring parts, written plainly.
Watchpost decides whether your AI agent can spend money. That's a sensitive job. This page is what we do to take it seriously.
Eight things we treat as non-negotiable.
- Encryption in transit
- Every request to watchpost.systems and the API uses TLS 1.2 or higher. HSTS is enabled on the apex domain.
- Encryption at rest
- Postgres data is encrypted at rest using AES-256. Backups are encrypted with the same scheme and kept for 30 days.
- Hashed credentials
- Passwords are hashed with bcrypt at cost factor 10. We never store, log, or display the plaintext, even briefly.
- Tokens stored as hashes
- Agent connection tokens are SHA-256 hashed in the database. The raw token is shown to you exactly once, when it's issued. If the database leaked, no usable tokens leak with it.
- Least-privilege access
- Production database access is limited to a small set of operator accounts, each with audit logs. There's no shared admin login.
- Isolated environments
- Production, staging, and development run on separate infrastructure with separate credentials. A bug in dev cannot reach a real user.
- No card data, ever
- Watchpost never sees a card number, CVC, or expiry. Stripe handles that. We hold a customer ID and a subscription state, and that's the whole picture.
- Logs without secrets
- Server logs are filtered before write. Authorization headers, cookies, and request bodies that contain secrets are stripped. Logs are kept for 30 days.
How a token actually works.
- 01Generated locally
When you authorize an agent in the browser, we generate a 32-character base32 token. It looks like wp_ABCD…XYZ.
- 02Hashed before storage
Before the token is saved, it's hashed with SHA-256. The database row contains the hash and an 8-character prefix used for UI listing. Nothing else.
- 03Shown to you once
The raw token is sent back to the CLI installer over a one-time exchange code. It's written into your agent's MCP config and never displayed again.
- 04Validated on every call
When your agent calls the API, the bearer token is hashed and compared. A revoked or unknown token is rejected before any work begins.
- 05Revocable any time
Revoke a connection from the dashboard. The token is marked revoked immediately. The next API call fails closed.
Found something? Tell us.
If you spot a vulnerability, write to security@watchpost.systems. Include enough detail that we can reproduce it, and we'll respond within 48 hours.
We don't pay bounties yet. We will name and thank you publicly if you'd like. Either way, please don't disclose the issue publicly until we've shipped a fix or 90 days have passed, whichever comes first.
Please don't pen-test against accounts that aren't yours. If you need a test account to reproduce an issue, email and we'll set one up.
Quiet, careful, always paying attention.
Security work doesn't make a marketing page exciting. It does make a service trustworthy. We're trying for trustworthy.