Security
Honest by default
Three principles drive every decision here: your keys and conversations live on your server, not ours. The app is a thin client — it holds a pairing token and nothing else sensitive. And when there’s a real risk, we’d rather disclose it plainly than polish over it.
The shape of the system
Your iPhone
- Thin native client — no provider keys, ever
- Pairing token in the iOS Keychain
- Device-only accessibility, not iCloud-synced
Traffic rides an encrypted tunnel between your phone and your server. Nothing passes through our infrastructure — there is no middle.
Your server
- Bearer-token auth on every endpoint
- Provider API keys in the server environment
- Conversations and memory stored here, on your disk
What’s solid today
The parts we’re confident in
These are shipped and verifiable in the code, not aspirations.
Provider API keys never touch the phone
Your OpenAI / Anthropic / other provider keys live in your server’s environment. The iOS app never sees, stores, or transmits them — it only talks to your server.
Every endpoint requires a bearer token
There are no unauthenticated API endpoints. The server checks the token on every request using a constant-time comparison, which avoids timing side-channels.
The server refuses to start with a weak key
If the server API key is missing or shorter than 16 characters, the server will not boot. We treat a guessable key as remote code execution waiting to happen — so it’s a hard stop, not a warning.
Pairing token lives in the iOS Keychain
On the phone, the token is stored in the Keychain with device-only accessibility. It is not synced to iCloud and doesn’t leave the device.
HTTPS enforced for remote hosts
The app requires HTTPS when connecting to a server outside your trusted local ranges. The blessed setup routes all traffic through a Tailscale (WireGuard) encrypted tunnel.
Honest capability gating
The app only shows features your server actually supports. No dead buttons pretending capabilities exist — what you see is what your setup can do.
What we’re honest about
The risks, in plain language
Every self-hosted agent has these tradeoffs. Here are ours, each with the mitigation we actually recommend — because you’d find them anyway, and you should hear them from us first.
The agent can run shell commands on its host
That’s the point of an agent — and it’s also the biggest risk. By default, the operating system is the security boundary between the agent and everything else on that machine.
Mitigation
Run the server in Docker or gVisor, or on a dedicated machine that holds nothing you can’t afford to expose. Our deploy guide walks through the isolated setups.
Today’s pairing token is the server’s long-lived key
When you pair by QR code, the phone receives the server’s own long-lived API key. There is no per-device token yet, and no automatic expiry — if it leaks, rotation is manual.
Mitigation
Treat the QR code like a password: don’t screenshot or share it. If you suspect a leak, rotate the key on the server and re-pair. Per-device expiring tokens are on the roadmap.
Plain-HTTP pairing is allowed on trusted local ranges
The app technically permits pairing over plain HTTP on localhost, LAN, and Tailscale address ranges. On a network you don’t control, that would expose your token in transit.
Mitigation
Use Tailscale — then everything, pairing included, rides an encrypted WireGuard tunnel regardless. Never pair over plain HTTP on a network you don’t trust.
Provider keys sit in a plaintext env file on the host
Like most self-hosted software, your provider API keys are stored in a plaintext environment file on the server. Standard practice — but you should know it.
Mitigation
Protect the host: enable full-disk encryption, keep the machine patched, and restrict who can log in. Anyone with access to that box has access to those keys.
Your data
What we collect (short list)
No analytics or tracking in the app
The iOS app contains no analytics SDK, no tracking pixels, no telemetry phoning home.
The website collects only what you give it
Sign-in (handled by Clerk — we never see your credentials), a waitlist email if you join, and contact messages if you send one. That’s the list.
The full details live in our privacy policy.
Found something?
If you’ve discovered a vulnerability or a claim on this page that doesn’t hold up, tell us. Security reports get a security-first response — read, taken seriously, and answered.