Security
ARCP is designed with security-first principles: all API keys are hashed with SHA-256, tokens are signed with ES256 JWTs, and all write endpoints require authentication.
API key security
- Keys use format:
arcp_<base64url> - Keys are stored as SHA-256 hashes — never in plaintext
- Keys can have expiry (
key_expires_at) and revocation (key_revoked_at) - All comparisons use timing-safe equality to prevent timing attacks
JWT signing
Render tokens and receipts are signed with ES256 (ECDSA P-256). Verify using the router's public JWKS:
curl https://router.arcp-protocol.com/v1/jwksSecurity headers
All responses include:
X-Content-Type-Options: nosniffX-Frame-Options: DENYStrict-Transport-Security: max-age=31536000; includeSubDomainsCache-Control: no-store(on authenticated responses)
Rate limiting
Rate limits are enforced per-client per-bucket. Limits are configurable per client in the clients table. Defaults:
| Endpoint | Minute limit | Daily quota |
|---|---|---|
| router.query | 60 | 5,000 |
| router.render_opened | 120 | 5,000 |
| router.receipts_export | 30 | 5,000 |
Key rotation
Rotate client API keys by:
- Generate a new key:
npm run arcp:keygen - Insert the new key hash into the
clientstable - Update your application to use the new key
- Set
key_revoked_aton the old key row
WAF protection
All write routes require a non-empty User-Agent header. Requests with missing or blank User-Agent are rejected at the edge before reaching the application. IP-based rate limiting is configured at the Vercel firewall layer.
Reporting vulnerabilities
Report security issues to security@arcp-protocol.com.