Security
Security is a top priority for the Sign Relay system.
Access Control
IP Whitelisting
Documentation and admin endpoints are restricted to specific IP addresses:
177.10.3.14- Primary access127.0.0.1- Local development
API Authentication
All API requests require a valid API key passed via Bearer token:
Authorization: Bearer YOUR_API_KEYData Protection
Encryption in Transit
All communications use TLS 1.3 encryption.
Encryption at Rest
Documents stored in R2 are encrypted using server-side encryption.
Audit Logging
All API requests are logged for security auditing:
- Request timestamp
- Client IP address
- API endpoint
- Response status
- Request duration
Rate Limiting
API endpoints are protected by rate limiting to prevent abuse:
- 100 requests per minute per API key
- 10 requests per second burst limit
Webhook Security
Incoming webhooks from signature providers are verified:
- Signature validation using provider secrets
- Timestamp validation to prevent replay attacks
- IP allowlisting for known provider IPs