> ## Documentation Index
> Fetch the complete documentation index at: https://getoverlay.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Model

> Auth, route validation, object access, and logging expectations for Overlay Web.

For vulnerability reporting policy, see [Security Reporting](../legal/security-reporting).

## Release Gate

Before production or enterprise-facing releases:

* Rotate or explicitly confirm all production secrets that could have been exposed.
* Verify preview deployments do not expose production secrets or production data.
* Confirm WorkOS callback/logout URLs match approved origins.
* Confirm Stripe webhook signing is active and portal access is bound to the authenticated customer.
* Confirm R2 buckets remain private and object access is owner-scoped.
* Confirm Daytona/browser/sandbox flows cannot inherit provider keys, cloud admin credentials, or long-lived tokens.
* Confirm rate limits protect auth, billing, AI, browser, and sandbox endpoints.
* Confirm logs and alerts cover auth failures, billing anomalies, CSP reports, rate-limit spikes, and abnormal sandbox usage.

## Required Code Properties

* Provider keys must never be returned to clients.
* Billing portal, checkout, and top-up flows must bind to the authenticated user.
* Native session transfer must validate PKCE and state.
* Internal API calls should use short-lived service auth, not a static root secret over the wire.
* R2 object keys must be validated against the authenticated owner.
* Sensitive `/api/v1/*` routes must use centralized route boundary validation and must not rely on browser-detection headers.

## Convex Security Workflow

If `convex/` auth, authorization, billing, usage, or storage logic changes:

```bash theme={null}
npm run convex:push:all
```

Use `convex:push:prod` for production and `convex:push:dev` for the dev backend. Do not pass `.env.local` to production Convex deploy commands.
