Security

Every authorization request is denied unless an explicit policy allows it. Misconfiguration fails safe, not open. This is the core principle of Veto's architecture.

API keys are hashed with HMAC-SHA256 before storage — we never store raw keys. Keys support scoping (admin vs read-only) and expiration dates. Raw keys are shown exactly once at creation time.

Sensitive parameters (passwords, tokens, API keys) are automatically redacted in audit logs — recursively, at any nesting depth. All input is validated with Zod schemas. All database queries are parameterized. Regex patterns in policies are checked for ReDoS vulnerabilities before acceptance.

The API runs on Cloudflare Workers at the edge for sub-10ms latency globally. Data is stored in Neon serverless Postgres with encryption at rest and in transit. The dashboard is protected by Clerk authentication. All secrets are stored in Cloudflare Workers environment variables — never in code.