> ## Documentation Index
> Fetch the complete documentation index at: https://agentref.co/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How AgentRef protects your data and what security measures are in place.

## Infrastructure

* **Managed cloud hosting** – production traffic runs on managed infrastructure with network-level DDoS protections.
* **Encrypted data stores** – application data is encrypted at rest and in transit.
* **TLS everywhere** – public application, API, MCP, and webhook traffic uses HTTPS.
* **Operational monitoring** – production systems are monitored for availability, abuse signals, and delivery failures.

## Authentication

### API Keys

* All API keys are hashed before storage – we never store plaintext keys
* Keys are prefixed by type for easy identification:
  * `ak_live_` – merchant keys
  * `ak_aff_` – affiliate keys
* Keys are scoped – each key only has access to the permissions you grant
* Keys can be revoked instantly from the dashboard

### Webhook Signatures

* All outbound webhooks are signed with HMAC-SHA256
* Signing secrets are derived per-endpoint (not shared across endpoints)
* Timestamp validation prevents replay attacks
* See [Signature Verification](/webhooks/signature-verification) for implementation details

## Data Protection

### What We Store

| Data               | Purpose                | Retention                           |
| ------------------ | ---------------------- | ----------------------------------- |
| Click data         | Attribution tracking   | Duration of cookie window + 30 days |
| Conversion data    | Commission calculation | Indefinite (business records)       |
| Affiliate profiles | Account management     | Until account deletion              |
| Tracking cookies   | Attribution            | First-party, configurable duration  |

### What We Don't Store

* Credit card numbers (handled entirely by Stripe)
* Customer passwords
* Raw Stripe webhook payloads (processed and discarded)

### Cookies

* **First-party only** – no third-party cookies
* **SameSite=Lax** – prevents CSRF
* **HttpOnly** where applicable
* Cookie names: `agentref_cid`, `agentref_pid`, `agentref_src`, `agentref_vid`, `agentref_ts`

## GDPR & Privacy

* **Consent mode** – tracking script can defer click recording until `AgentRef.setConsent('granted')` is called
* **No cross-site tracking** – all cookies are first-party
* **Data minimization** – we only collect what's needed for attribution
* **Right to deletion** – affiliates and merchants can request account deletion
* See [Consent & GDPR](/tracking/consent-gdpr) for implementation details

## Responsible Disclosure

If you discover a security vulnerability, please email **[security@agentref.co](mailto:security@agentref.co)**. We take all reports seriously and will respond within 48 hours.

<Warning>
  Never share API keys in public repositories, client-side code, or support tickets. If a key is compromised, revoke it immediately in the dashboard and create a new one.
</Warning>
