Security

How Linktrap reduces abuse and protects secrets. Not a formal security audit.

Authentication

Clerk middleware protects /create, /dashboard, and non-public API routes (see codebase middleware.ts).
/api/v1/* is public to middleware but requires a valid API key inside the route handler.
/api/stripe/webhook is authenticated via Stripe signature, not Clerk.

API keys, database tokens, Clerk secrets, Stripe keys, and OpenAI keys must live in environment variables — never in client bundles or git.

Link creation uses DB-backed minute buckets per fingerprint (authenticated user + IP-derived hint) to mitigate burst abuse.

List/update/delete operations scope by workspace_id resolved from the signed-in user or API key. Cross-tenant access should return 404.

Product rule: do not place the real destination URL in bot-facing descriptions. See Redirects & Open Graph.

Click logs may include referrer and coarse geo headers. Document retention and lawful basis in your Privacy policy.

Publish a security contact or abuse inbox for your deployment; Linktrap does not ship a built-in security.txt.