AfterAI is built for platform teams who need auditability and a defensible posture. The same security model applies whether you use the console, the API, or the SDK.
Access is token- and key-based, with fail-closed behavior and protected routes. The console uses a session JWT stored in an httpOnly cookie (HS256); unauthenticated users are redirected to login. The API accepts X-Tenant-Id with X-Api-Key, or a Bearer JWT for console-originated requests; the SDK sends the API key in request headers. Credentials are hashed at rest; configuration is environment-based. No secrets are embedded in images or source; required configuration is validated at startup and the application fails fast if it is missing.
AfterAI is out-of-band by design. It does not sit in your inference path; there is no inference-path instrumentation and no traffic in the hot path. Telemetry is asynchronous and designed to fail open. The system is metadata-first; prompt and output capture is optional, sampled, and controllable. Change and risk are captured out-of-band with zero impact on latency.
Secrets and configuration are supplied via environment variables. The application fails fast on misconfiguration so that incomplete or insecure deployments do not start. We are committed to further hardening as we scale, including rate limiting, DDoS protection, and WAF where appropriate.