Security

SpendGraph stores hashed API keys, scopes data access by authenticated organization membership, and verifies Stripe webhook signatures.

Secrets are stored in server-side environment variables and are never intended to be exposed client-side.

Access should be revoked immediately if any credential is suspected to be compromised.

Security contact: security@spendgraph.dev