Do not open public issues for security vulnerabilities. Email: security@agentforge.dev
- API keys are stored in
.envon the server - Never sent to the browser
- Backend proxies all LLM requests
- Use strong API keys
- Rotate keys regularly
- Run behind a reverse proxy in production
- Set
CORS_ORIGINSto your domain only