Security
Account and session security
- Authenticated web sessions use signed HTTP-only cookies.
- State-changing browser requests use CSRF protections.
- Passwords, passkeys, and magic-link flows are handled through dedicated authentication boundaries.
- Active sessions can be reviewed and revoked.
Connected-assistant access
- Remote assistant access uses OAuth authorization rather than asking you to copy a permanent account password or API key.
- Access is scoped to the identity and workspaces you approve.
- Connected access tokens can be revoked.
- OnlyCheckboxes keeps a structured work record so agent changes remain inspectable.
Payments and files
- Stripe handles web checkout and card details; Apple handles App Store purchases.
- Billing webhooks are signature-verified when webhook verification is configured.
- File uploads use validated metadata and controlled storage paths before they can be attached to a checklist or item.
Operations
Structured logs, rate limits, authorization checks, security headers, and error monitoring help detect abuse and diagnose failures. Access to production systems should remain limited to the people and services that need it.
Responsible disclosure
If you believe you found a security issue, email [email protected] with a clear description and reproduction steps. Please do not access data that is not yours or disrupt the service while investigating.