> For the complete documentation index, see [llms.txt](https://docs.jetpero.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.jetpero.com/features/security.md).

# Security

### 🛡️ Key Principles

#### 🔒 Secure by Default

JetPero is designed to ensure that your actual provider API keys **never leave your backend** or touch the frontend.

#### 🧠 No Client-side Exposure

All requests to third-party providers go through JetPero’s secure proxy. Your provider keys are **auto-injected server-side**, so your users or browsers never see them.

#### 🗂️ Project-level Isolation

Every project you create (e.g., `abc.co`, `tt.net`) has:

* Its own isolated API key vault
* A **project-specific auth token**
* Strict access controls

***

### 🔑 Provider Key Handling

When you set up a provider:

* The **actual provider API key** is encrypted and stored securely
* JetPero generates a **JWT-based token** tied to the project
* Your proxy requests only require this JetPero project token

✅ Example:\
You make a request to OpenAI like this:

```bash
curl https://api.jetpero.com/proxy/openai/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <Your-Project-Token>" \
  -d '{ "model": "gpt-4", "messages": [...] }'
```

> 🚫 You never have to expose your real OpenAI key in this request.\
> 🔁JetPero handles it behind the scenes, injecting your stored key securely.

### 🧩 Organization-Level Scoping

Your organization contains multiple projects. Each project:

* Has its own encrypted token
* Cannot access another project’s providers or data
* Can rotate or revoke keys independently

> Even if someone gets access to one project token, they can’t see or touch other environments.

***

### 🔐 Token Generation

* Based on JWT + crypto signing
* Issued per project (not per user)
* Expirable and revokable
* Scopes built-in for future RBAC

***

### ✅ Security Features

| Feature                     | Status          |
| --------------------------- | --------------- |
| Provider Key Encryption     | ✅ Live          |
| Token-based Auth            | ✅ Live          |
| Project Isolation           | ✅ Live          |
| Auto Key Injection          | ✅ Live          |
| Role-based Access Control   | 🛠️ Coming Soon |
| Activity Logs & Audit Trail | 🛠️ Coming Soon |
| Key Rotation & History      | 🛠️ Coming Soon |

***

### 🔐 Best Practices

* Use different tokens for dev/staging/production
* Never share your JetPero token publicly
* Use readable provider names (e.g., `openai`, `replicate`, etc.)
* Revoke and reconfigure providers when rotating keys

***

### 👁️ Security Roadmap

We're working on:

* Granular permissions & roles
* Real-time token usage logs
* Automated key rotation
* SOC2/GDPR compliance

### 💬 Have a security question or concern?

Reach us directly at[ jetpero.io@gmail.com](mailto:jetpero.io@gmail.com) or 0706172020 via WhatsApp
