Security

How Vendo isolates tenants from each other, how secrets and OAuth tokens are stored and rotated, the authentication contract for the credentials and integration proxies, and the process for reporting security vulnerabilities responsibly.

These pages describe what the platform does today. Where a guarantee depends on an upstream provider (e.g. Composio token storage), that's called out on the page in question.

• Tenant isolation — where the boundaries between one tenant and another are enforced.
• Secret handling — the three classes of secret Vendo deals with, and how each is stored.
• OAuth flow security — the OAuth dance, token rotation, and what happens on revocation.
• Proxy authentication — the vendo_sk_* bearer model, key scopes, rotation.
• Reporting vulnerabilities — how to disclose responsibly.