Security
AgentRecall implements multiple layers of security to protect sensitive data.
Overview
Security is a core design principle of AgentRecall. We implement:
- Three-layer sanitization (client + server)
- API key authentication
- Rate limiting
- HTTPS encryption
Three-Layer Sanitization
All data submitted to AgentRecall goes through three layers of sanitization:
Layer 1: Regex Sanitization
Pattern-based detection and replacement of sensitive data:
| Pattern Type | Example | Replaced With |
|---|---|---|
| API Keys | sk-abc123... | {API_KEY} |
| user@example.com | {EMAIL} | |
| IP Address | 192.168.1.1 | {IP_ADDRESS} |
| JWT Token | eyJhbG... | {JWT_TOKEN} |
| Passwords | password=secret | {REDACTED} |
Layer 2: Structure Sanitization
JSON-aware sanitization that preserves structure while replacing sensitive values:
- Detects sensitive field names (password, secret, token, key)
- Replaces values with type indicators
- Preserves JSON structure for readability
Layer 3: Entropy Detection
Shannon entropy analysis to detect high-entropy strings (likely secrets):
- Calculates entropy for strings 32+ characters
- Entropy threshold: 4.5
- Replaces high-entropy strings with {HIGH_ENTROPY_LEN_N}
Client + Server Protection
Double sanitization ensures maximum protection:
- Client-side: Sanitize before sending (sensitive data never leaves local)
- Server-side: Sanitize again as fallback protection
This "defense in depth" approach ensures that even if client-side sanitization is skipped, server-side sanitization will catch sensitive data.
Authentication
MCP Interface
Uses x-api-key header for authentication:
x-api-key: ak_YOUR_API_KEYAdmin Panel
Uses JWT tokens obtained through email/password login.
Best Practices
- Always sanitize data client-side before submission
- Use environment variables for API keys
- Rotate API keys periodically
- Use HTTPS for all requests