Security & Data Handling

Every connection to api.aipower.me and aipower.me is TLS 1.3 encrypted. We do not accept plaintext HTTP. Certificates are issued and auto-rotated by Cloudflare.

When you generate an API key, we store only the SHA-256 hashof it in our database. The raw key is shown once on creation; we cannot recover it if you lose it (you'd create a new one). Key verification on each API call re-hashes and compares, so the plaintext never touches our database.

We do not log or retain your prompt text or the model's response. What we do log per request: timestamp, model, input/output token counts, latency, cost. This is the minimum needed to show you accurate usage on the dashboard. We never train models on your data.

• L0 — Cloudflare Turnstile CAPTCHA on signup
• L1 — Bot-User-Agent filtering (curl/python-requests/etc. rejected at signup endpoint)
• L2 — Email validation (disposable-domain blacklist, keyboard-mash + bot-pattern detection, MX record lookup)
• L3 — Per-IP + per-domain signup rate limits
• L4 — Mandatory email verification via Resend
• L5 — Free-tier daily call cap + expensive-model restriction (paywall absorbs the rest)
• L6 — Hourly registration-rate anomaly alerts to ops

We wrote a full post-mortem of a real attack: How we stopped a 340-bot registration attack in 4 hours.

Running on Cloudflare Workers (global edge, 280+ cities), Cloudflare D1 (SQLite at edge), and Cloudflare KV for caches. Payments are processed exclusively via Stripe; we never see or store card numbers. Stripe Radar scores every payment for fraud risk.

We monitor error rates, provider upstream failures, and unusual registration spikes. Real-time alerts are sent to the ops team (Frank) by email. Service status history is at aipower.me/status.

Found a security issue? Please email security@aipower.me— we respond within 24 hours. Coordinated disclosure preferred; we won't take legal action against good-faith researchers.