Security

Honest by default

Three principles drive every decision here: your keys and conversations live on your server, not ours. The app is a thin client — it holds a pairing token and nothing else sensitive. And when there’s a real risk, we’d rather disclose it plainly than polish over it.

The shape of the system

Your iPhone

  • Thin native client — no provider keys, ever
  • Pairing token in the iOS Keychain
  • Device-only accessibility, not iCloud-synced
TLS · Tailscale / WireGuard

Traffic rides an encrypted tunnel between your phone and your server. Nothing passes through our infrastructure — there is no middle.

Your server

  • Bearer-token auth on every endpoint
  • Provider API keys in the server environment
  • Conversations and memory stored here, on your disk

What’s solid today

The parts we’re confident in

These are shipped and verifiable in the code, not aspirations.

Solid

Provider API keys never touch the phone

Your OpenAI / Anthropic / other provider keys live in your server’s environment. The iOS app never sees, stores, or transmits them — it only talks to your server.

Solid

Every endpoint requires a bearer token

There are no unauthenticated API endpoints. The server checks the token on every request using a constant-time comparison, which avoids timing side-channels.

Solid

The server refuses to start with a weak key

If the server API key is missing or shorter than 16 characters, the server will not boot. We treat a guessable key as remote code execution waiting to happen — so it’s a hard stop, not a warning.

Solid

Pairing token lives in the iOS Keychain

On the phone, the token is stored in the Keychain with device-only accessibility. It is not synced to iCloud and doesn’t leave the device.

Solid

HTTPS enforced for remote hosts

The app requires HTTPS when connecting to a server outside your trusted local ranges. The blessed setup routes all traffic through a Tailscale (WireGuard) encrypted tunnel.

Solid

Honest capability gating

The app only shows features your server actually supports. No dead buttons pretending capabilities exist — what you see is what your setup can do.

What we’re honest about

The risks, in plain language

Every self-hosted agent has these tradeoffs. Here are ours, each with the mitigation we actually recommend — because you’d find them anyway, and you should hear them from us first.

Disclosure

The agent can run shell commands on its host

That’s the point of an agent — and it’s also the biggest risk. By default, the operating system is the security boundary between the agent and everything else on that machine.

Mitigation

Run the server in Docker or gVisor, or on a dedicated machine that holds nothing you can’t afford to expose. Our deploy guide walks through the isolated setups.

Disclosure

Today’s pairing token is the server’s long-lived key

When you pair by QR code, the phone receives the server’s own long-lived API key. There is no per-device token yet, and no automatic expiry — if it leaks, rotation is manual.

Mitigation

Treat the QR code like a password: don’t screenshot or share it. If you suspect a leak, rotate the key on the server and re-pair. Per-device expiring tokens are on the roadmap.

Disclosure

Plain-HTTP pairing is allowed on trusted local ranges

The app technically permits pairing over plain HTTP on localhost, LAN, and Tailscale address ranges. On a network you don’t control, that would expose your token in transit.

Mitigation

Use Tailscale — then everything, pairing included, rides an encrypted WireGuard tunnel regardless. Never pair over plain HTTP on a network you don’t trust.

Disclosure

Provider keys sit in a plaintext env file on the host

Like most self-hosted software, your provider API keys are stored in a plaintext environment file on the server. Standard practice — but you should know it.

Mitigation

Protect the host: enable full-disk encryption, keep the machine patched, and restrict who can log in. Anyone with access to that box has access to those keys.

Your data

What we collect (short list)

No analytics or tracking in the app

The iOS app contains no analytics SDK, no tracking pixels, no telemetry phoning home.

The website collects only what you give it

Sign-in (handled by Clerk — we never see your credentials), a waitlist email if you join, and contact messages if you send one. That’s the list.

The full details live in our privacy policy.

Found something?

If you’ve discovered a vulnerability or a claim on this page that doesn’t hold up, tell us. Security reports get a security-first response — read, taken seriously, and answered.

Report it