-
Notifications
You must be signed in to change notification settings - Fork 2
Security
coder11125 edited this page May 1, 2026
·
1 revision
Your provider API keys (Google, OpenAI, Anthropic, etc.) are sensitive. Quasar AI protects them as follows:
- Keys are encrypted with AES-256-GCM before being sent to the server
- The encrypted format is
hex(iv):hex(authTag):hex(ciphertext)— without theENCRYPTION_KEYserver secret, the ciphertext cannot be decrypted - Keys are never logged or stored in plain text anywhere on the server
- On the client, keys are cached in
localStoragefor the session
- Passwords are hashed with bcrypt before storage — the plain password is never stored
- Sessions use JWT tokens with a 7-day expiry, signed with a secret that never leaves the server
- Login and registration endpoints are rate-limited to 10 attempts per IP per 15 minutes to prevent brute force attacks
- Login timing is normalised to prevent user enumeration via response time differences
- Chat histories and folders are synced to MongoDB under your user account
- All sync API endpoints require a valid Bearer token — unauthenticated requests are rejected with 401
- Expired tokens trigger a clean logout rather than a silent failure
- All user-controlled content (message text, chat titles, folder names) is run through
escapeHtml()before being injected into the DOM - The artifact panel preview iframe uses
srcdocwith sandbox restrictions — previewed HTML cannot access your session or make credentialed requests
- Does not read or log the content of your conversations
- Does not sell or share your data
- Does not store your API keys in plain text
- Does not make API calls on your behalf without your action
If you self-host Quasar AI, you control the server, the database, and the encryption key. Your data never touches the hosted instance at quasar-ai-two.vercel.app.