Security Controls

Iteration Layer uses security controls across API authentication, browser sessions, transport security, rate limits, monitoring, and deployment operations.

How Are API Requests Authenticated

API requests are authenticated with bearer API keys.

The plaintext API key is shown only when it is created. After creation, the platform stores the hash needed to verify future requests. Use Authentication for request syntax and API key usage.

How Can API Keys Be Scoped

API keys can be managed at the organization level and associated with projects.

Project-scoped keys help separate client work, environments, or internal workflows. They also make usage reporting and budget review easier because requests can be attributed to a project.

How Is Browser Access Protected

Browser access uses passwordless magic links and supported OAuth providers.

Platform sessions are separate from API bearer tokens. Browser login manages users, organizations, billing, projects, and API keys. API keys authorize programmatic requests to the API gateway.

How Is Transport Protected

Iteration Layer uses HTTPS for browser and API traffic.

Webhook URLs must use https://; HTTP webhook URLs are rejected. Data Processing Agreement describes transport encryption and provider storage-encryption controls in formal contract language.

How Are Requests Rate Limited

API traffic is rate limited to protect availability and reduce abuse.

Rate limits are applied per organization. When the limit is exceeded, the API returns a rate-limit error instead of processing additional requests. See Rate Limits for the current public behavior.

How Are Webhooks Protected

Webhook delivery requires HTTPS and expects a 2xx response from your endpoint.

Your webhook endpoint should authenticate requests where possible, avoid logging full payloads unnecessarily, and apply its own retention controls after receiving results. See Webhooks for payloads, retries, and failure behavior.

What Operational Controls Are In Place

Iteration Layer uses operational controls for monitoring, abuse detection, and secure delivery.

Operational controls include external availability monitoring, cloud firewall rules, restricted SSH access, brute-force protection, dependency and static-analysis checks in CI, compiler warnings-as-errors, strict linting, and deployment health checks.

Where Is The Public Security Summary

The public security summary is available at Security.

Use this docs page for technical implementation context and Security for the public security summary.

Ingest

Generate

Integrations

Built for

By product

By industry

Docs

Overview

APIs

Workflows

SDKs

Agent Tools

Agent Frameworks

Chat UIs

API Reference

Billing

Trust & Compliance

Benchmarks

Blog

More