Secure sessions
HTTP-only secure cookies, Supabase identity validation and explicit session revocation endpoints protect dashboard access.
Security architecture
Controls belong on the server, not in a button.
SIMCOAI protects authentication, provider credentials, API keys and subscription entitlements in the backend.
Scoped API keys
Customer API keys are hashed with server-side pepper support, scoped and shown only when created.
Plan enforcement
Phone, Setup AI, automation, analytics and API capabilities are checked by backend middleware.
Database controls
Supabase service access remains server-side while schema migrations enable row-level security.
Webhook verification
Stripe raw-body signature validation and optional Twilio signature validation protect provider callbacks.
Responsible contact
Potential security issues can be submitted through the security category for priority handling.
Contact security →