Hive Intelligence home
Hive Intelligence
GitHub

Security

Last updated: April 22, 2026

Security is a core requirement for infrastructure that powers AI and onchain workflows. This page documents the specific controls Hive Intelligence operates today, what we do not yet do, and how to report a vulnerability.

Transport and Network

  • HTTPS enforced on www.hiveintelligence.xyz and mcp.hiveintelligence.xyz. HTTP traffic is redirected to HTTPS and then 301-redirected to the canonical host.
  • TLS 1.2 minimum; TLS 1.3 is negotiated by default on all modern clients. Certificates are issued by Let's Encrypt and auto-renewed.
  • HSTS with a two-year max-age and includeSubDomains + preload directives. The apex and www hosts are HSTS-preload eligible.
  • Strict security headers on every response: Content-Security-Policy, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: origin-when-cross-origin, and a tight Permissions-Policy disabling camera, microphone, and geolocation.
  • Edge termination and DDoS mitigation on Vercel's global network.

API Key Management

  • Keys are generated server-side with 256 bits of entropy and stored hashed at rest. The plaintext key is shown to you exactly once at creation.
  • Keys can be rotated or revoked instantly from the dashboard. Revocation is effective within one second across all edge nodes.
  • Per-key scoping: every key is bound to one account and cannot cross tenancy boundaries. Keys carry metadata for the plan and rate limit they were issued under.
  • Rate limiting is enforced per key at the edge. 429 responses include a Retry-After header and do not consume a credit.
  • Authentication accepts either x-api-key or Authorization: Bearer. Never embed a key in a frontend bundle -- proxy through your own backend.

Data Handling

  • Hive does not require or accept wallet private keys, seed phrases, or signed transaction payloads. No Hive tool writes onchain -- the entire surface is read-only data retrieval.
  • Request and response bodies are not persisted past the lifetime of the request. Metadata (timestamp, tool name, latency, credit cost, API key id) is retained for usage accounting and rate-limit enforcement.
  • Dashboard account data (email, usage counters, billing metadata) is stored in Supabase Postgres with encryption at rest and regular backups.
  • Payments are processed by Stripe. Hive does not store card numbers, CVVs, or full PAN data on its infrastructure.

Dashboard and Account Security

  • Authentication is handled by Supabase Auth. Passwords are never stored in plaintext or sent to our application servers.
  • Email-link and OAuth sign-in options are available. Session tokens are rotated on every sign-in.
  • Administrative access to production systems is restricted to a small number of named engineers and gated through short-lived credentials.

Application Security

  • Input validation on all integration surfaces -- MCP, REST, and webhook. Malformed payloads fail closed with a descriptive error, never partial execution.
  • Dependencies are scanned on every deploy via GitHub Dependabot and patched on a rolling basis; critical vulnerabilities target a 72-hour patch window.
  • Operational monitoring flags anomalous traffic, credit spikes, and abnormal error-rate patterns per key. Abuse triggers automated throttle or temporary lock.
  • No third-party JavaScript runs on the dashboard beyond Vercel Analytics and Google Analytics (measurement only, no behavioural profile sharing).

Compliance Roadmap

Hive is not SOC 2 certified today. Teams requiring SOC 2, ISO 27001, or GDPR data processing agreements should contact support to discuss the Enterprise plan, which includes a DPA, a security questionnaire response, and a committed audit timeline. SOC 2 Type I attestation is a stated 2026 roadmap item.

Responsible Disclosure

If you identify a potential security issue, report it privately by emailing security@hiveintelligence.xyz or via Telegram support. Please include reproducible steps, affected endpoint, and the expected vs observed behaviour. We acknowledge legitimate reports within 48 hours and commit to a coordinated disclosure timeline with researchers who follow responsible disclosure norms. Do not publicly disclose until we have confirmed the fix is deployed.

Changelog

Material changes to controls, reporting channels, or disclosure process are noted here with a revised date. Minor copy clarifications are made without a changelog entry.