Skip to main content

Documentation Index

Fetch the complete documentation index at: https://agentref.co/docs/llms.txt

Use this file to discover all available pages before exploring further.

Infrastructure

  • Managed cloud hosting – production traffic runs on managed infrastructure with network-level DDoS protections.
  • Encrypted data stores – application data is encrypted at rest and in transit.
  • TLS everywhere – public application, API, MCP, and webhook traffic uses HTTPS.
  • Operational monitoring – production systems are monitored for availability, abuse signals, and delivery failures.

Authentication

API Keys

  • All API keys are hashed before storage – we never store plaintext keys
  • Keys are prefixed by type for easy identification:
    • ak_live_ – merchant keys
    • ak_aff_ – affiliate keys
    • ak_onb_ – onboarding keys
  • Keys are scoped – each key only has access to the permissions you grant
  • Keys can be revoked instantly from the dashboard

Webhook Signatures

  • All outbound webhooks are signed with HMAC-SHA256
  • Signing secrets are derived per-endpoint (not shared across endpoints)
  • Timestamp validation prevents replay attacks
  • See Signature Verification for implementation details

Data Protection

What We Store

DataPurposeRetention
Click dataAttribution trackingDuration of cookie window + 30 days
Conversion dataCommission calculationIndefinite (business records)
Affiliate profilesAccount managementUntil account deletion
Tracking cookiesAttributionFirst-party, configurable duration

What We Don’t Store

  • Credit card numbers (handled entirely by Stripe)
  • Customer passwords
  • Raw Stripe webhook payloads (processed and discarded)

Cookies

  • First-party only – no third-party cookies
  • SameSite=Lax – prevents CSRF
  • HttpOnly where applicable
  • Cookie names: agentref_cid, agentref_pid, agentref_src, agentref_vid, agentref_ts

GDPR & Privacy

  • Consent mode – tracking script can defer click recording until AgentRef.setConsent('granted') is called
  • No cross-site tracking – all cookies are first-party
  • Data minimization – we only collect what’s needed for attribution
  • Right to deletion – affiliates and merchants can request account deletion
  • See Consent & GDPR for implementation details

Responsible Disclosure

If you discover a security vulnerability, please email security@agentref.co. We take all reports seriously and will respond within 48 hours.
Never share API keys in public repositories, client-side code, or support tickets. If a key is compromised, revoke it immediately in the dashboard and create a new one.