Security

Understand credential storage, project isolation, auditability, and operational safeguards in Connexsus.

Read guideView source on GitHubLast updated: March 6, 2026

Credential Storage

Connexsus stores third-party credentials through the encrypted vault model used by integrations. OAuth tokens and API keys are never exposed on public pages and remain bound to authenticated project workflows.

Project Isolation

Provider assignment, registry toggles, and MCP tool visibility remain project-aware. Public SEO pages describe published provider metadata only and do not leak connected state, installs, or any private runtime context.

Edge Protection

If the frontend runs on Vercel and the authenticated gateway stays ongateway.connexsus.io, avoid browser-oriented bot protection on the gateway host. Cloudflare Bot Fight Mode can block legitimate server-side fetches from the Next.js app before they reach Worker auth or route logic.

The safer pattern is to keep explicit auth, rate limits, and targeted WAF rules on the gateway, while reserving more aggressive bot protection for the public frontend host.

Operational Guardrails

Connexsus uses audit events, feature flags, and validation layers across catalog, ingest, and runtime provider flows. That structure helps teams ship MCP providers without turning every client into a one-off secret distribution problem.