Hive Intelligence home
Hive Intelligence
GitHub

Security

Last updated: May 31, 2026

Security is a core requirement for infrastructure that powers AI and onchain workflows. This page documents the specific controls Hive Intelligence operates today, what we do not yet do, and how to report a vulnerability.

Transport and network

  • HTTPS is enforced on www.hiveintelligence.xyz and mcp.hiveintelligence.xyz. HTTP requests redirect to HTTPS, and the apex website host redirects to the canonical www host.
  • TLS certificates are managed and renewed by the hosting providers. Current production checks show TLS 1.2 as the minimum supported protocol on the public website, with TLS 1.3 available to modern clients.
  • HSTS is enabled on production web and API hosts. Header values are managed per host; the public website currently sends a two-year max-age with includeSubDomains and preload.
  • Production web and API responses set security headers including Content-Security-Policy, X-Content-Type-Options, frame controls, referrer policy, and permissions or cross-origin policies as applicable to the host.
  • The website is served from Vercel. The hosted MCP/API runtime is served behind Cloudflare. Both rely on managed edge network protections for TLS termination and DDoS mitigation.

API key management

  • Keys are generated server-side through the hosted authentication backend. The plaintext key is shown exactly once at creation; after that, the dashboard shows only a non-secret key prefix.
  • Keys can be replaced or disabled from the dashboard. A disabled key is rejected on new authenticated requests after the authentication backend observes the update.
  • Per-key scoping: every key is bound to one account and cannot cross tenancy boundaries. Keys carry metadata for the plan and rate limit they were issued under.
  • Rate limiting is enforced at the API-key and IP levels. Hive 429 responses include Retry-After when the limiter provides it, and rejected rate-limit or quota requests do not execute a tool or consume the normal tool-call credit.
  • Authentication uses Authorization: Bearer (recommended); the legacy x-api-key header is still accepted. Hive has not implemented OAuth yet, so keep the API key on a server you control. Never embed a key in a frontend bundle. Proxy through your own backend.

Data handling

  • Hive does not require or accept wallet private keys, seed phrases, or signed transaction payloads. No Hive tool writes onchain or signs transactions. Provider data tools are read-only; Hive-native stateful tools write only Hive-owned state such as monitors, alerts, memory facts, reports, and B2B subject audit records.
  • Request arguments and provider responses are used to service the request and return the result. Usage metadata such as request id, API key id, credit ledger entries, tool name, provider, category, runtime status, and latency may be retained for accounting, troubleshooting, and abuse prevention.
  • Dashboard account and usage data, including email, usage counters, and billing identifiers or metadata, is stored in Supabase Postgres.
  • The Demo plan does not require a credit card. Paid billing flows store billing identifiers or metadata rather than raw card numbers, CVVs, or full PAN data in the Hive application database.

Dashboard and account security

  • Dashboard authentication is handled by Supabase Auth using email magic links. The main customer login flow does not collect dashboard passwords.
  • Session issuance, refresh, and invalidation are handled by Supabase Auth.
  • The admin surface is placed under the protected dashboard route prefix when Supabase environment variables are configured, with an additional ADMIN_PASSWORD gate for the admin UI.

Application security

  • MCP and REST tool execution validate required fields, primitive types, enum values, and dangerous prototype-pollution keys before provider execution. Malformed tool arguments return structured validation errors.
  • Dependency, framework, and documentation changes go through repository verification: TypeScript checks, linting, generated-claim drift checks, docs coverage checks, internal-link checks, Tailwind Syntax audits, and a Next build. Security updates are prioritized through the normal release process.
  • Operational signals include request ids, API-key rate-limit headers, quota ledgers, provider/category/tool latency logs, runtime statuses, and provider error classes. Throttling is enforced through IP and API-key limits.
  • Third-party client JavaScript in this app is limited to Vercel Analytics in production and Google Analytics when a measurement id is configured.

Compliance roadmap

Hive is not SOC 2 or ISO 27001 certified today, and a GDPR data processing agreement is not published as a self-serve artifact. Teams with formal security, privacy, or procurement requirements should contact support to discuss the Enterprise plan and the current compliance roadmap.

Responsible disclosure

If you identify a potential security issue, report it privately by emailing security@hiveintelligence.xyz or via Telegram support. Please include reproducible steps, affected endpoint, and the expected vs observed behaviour. We acknowledge legitimate reports within 48 hours and commit to a coordinated disclosure timeline with researchers who follow responsible disclosure norms. Do not publicly disclose until we have confirmed the fix is deployed.

Changelog

May 31, 2026: Clarified hosting, key revocation, dashboard authentication, data handling, dependency verification, and compliance wording to match the current website and hosted MCP/API implementation.