Security

The boring parts, written plainly.

Watchpost decides whether your AI agent can spend money. That's a sensitive job. This page is what we do to take it seriously.

Practices

Eight things we treat as non-negotiable.

Encryption in transit
Every request to watchpost.systems and the API uses TLS 1.2 or higher. HSTS is enabled on the apex domain.
Encryption at rest
Postgres data is encrypted at rest using AES-256. Backups are encrypted with the same scheme and kept for 30 days.
Hashed credentials
Passwords are hashed with bcrypt at cost factor 10. We never store, log, or display the plaintext, even briefly.
Tokens stored as hashes
Agent connection tokens are SHA-256 hashed in the database. The raw token is shown to you exactly once, when it's issued. If the database leaked, no usable tokens leak with it.
Least-privilege access
Production database access is limited to a small set of operator accounts, each with audit logs. There's no shared admin login.
Isolated environments
Production, staging, and development run on separate infrastructure with separate credentials. A bug in dev cannot reach a real user.
No card data, ever
Watchpost never sees a card number, CVC, or expiry. Stripe handles that. We hold a customer ID and a subscription state, and that's the whole picture.
Logs without secrets
Server logs are filtered before write. Authorization headers, cookies, and request bodies that contain secrets are stripped. Logs are kept for 30 days.
Agent connections

How a token actually works.

  1. 01
    Generated locally

    When you authorize an agent in the browser, we generate a 32-character base32 token. It looks like wp_ABCD…XYZ.

  2. 02
    Hashed before storage

    Before the token is saved, it's hashed with SHA-256. The database row contains the hash and an 8-character prefix used for UI listing. Nothing else.

  3. 03
    Shown to you once

    The raw token is sent back to the CLI installer over a one-time exchange code. It's written into your agent's MCP config and never displayed again.

  4. 04
    Validated on every call

    When your agent calls the API, the bearer token is hashed and compared. A revoked or unknown token is rejected before any work begins.

  5. 05
    Revocable any time

    Revoke a connection from the dashboard. The token is marked revoked immediately. The next API call fails closed.

Responsible disclosure

Found something? Tell us.

If you spot a vulnerability, write to security@watchpost.systems. Include enough detail that we can reproduce it, and we'll respond within 48 hours.

We don't pay bounties yet. We will name and thank you publicly if you'd like. Either way, please don't disclose the issue publicly until we've shipped a fix or 90 days have passed, whichever comes first.

Please don't pen-test against accounts that aren't yours. If you need a test account to reproduce an issue, email and we'll set one up.

Quiet, careful, always paying attention.

Security work doesn't make a marketing page exciting. It does make a service trustworthy. We're trying for trustworthy.