Security

Every request is authenticated via the X-My-API-Key header. Keys are hashed with bcrypt before storage. We never store plaintext API keys in our database.

Restrict API key usage to specific IP addresses. Any request from a non-whitelisted IP is immediately rejected with a 403 response. Configure through the admin panel or user dashboard.

Per-key rate limits with configurable tiers (RPM and daily quotas) prevent abuse and ensure fair usage across all users. Rate limit headers are included in every response for transparency.

Every API request is logged with timestamp, model used, token count, response code, and IP address. Logs are available through the admin dashboard and are retained per your plan's retention policy.

All communication between your application and VedasLab is encrypted via TLS 1.3. We enforce HTTPS on all endpoints — unencrypted connections are rejected.

Keys exhibiting abnormal patterns (rapid bursts, scraping, unauthorized access attempts) are automatically flagged and temporarily suspended. Admins can manage suspensions from the dashboard.