Workjet
Log in Join Beta

Security

Security by architecture, not by promise

Workjet is designed so your sensitive data never has to leave your control. Credentials stay in your OS keychain, inference routes through your own gateway, and every interaction is logged immutably.

What data lives where

Workjet separates concerns so sensitive data stays under your control.

Your Device

Never leaves your machine

  • API keys in OS keychain
  • Conversation history (local)
  • Documents & uploaded files
  • Tool connections stored locally
  • Session cookies: HttpOnly + Secure + SameSite

Your Gateway

Cloudflare Workers

  • DLP/PII scanning (SSN, CC, email, phone, AWS keys, API secrets)
  • Model routing (per-tier, priority fallback)
  • Cost metering (per-model token rates)
  • Audit logging (immutable D1 records)
  • Rate limiting (KV-backed per-user/IP)

AI Providers

Inference only, no persistent storage

  • Inference requests only (after DLP scan)
  • No persistent storage of your data
  • Configurable provider selection
  • No raw data retention by providers

How we protect your data

Six layers of defense, from encryption to network architecture.

Encryption

TLS 1.3 for all data in transit. AES-256 at rest for R2 storage and D1 databases. Secure cookies with Domain scoping. Your OS keychain handles credential encryption natively.

DLP Pipeline

Real-time pattern scanning on every request. 6 built-in patterns: credit cards, SSNs, email addresses, phone numbers, AWS keys, and API secrets. Custom regex support. Actions: redact, block, or warn.

Audit Trail

Every AI interaction logged: user, action, model, tokens, cost, DLP result, IP, and user agent. Stored in D1 with optional R2 payload archival. Filterable by action type, user, and date range. Exportable for compliance.

Credential Management

API keys hashed with SHA-256 — raw key shown once, never stored. Session tokens are HttpOnly cookies with 30-day expiry. Google OAuth for passwordless login. No plaintext secrets in any database.

Multi-tenant Isolation

Tenant-scoped queries on every request. Role-based access control with owner, admin, and member roles. Per-tenant DLP policies, routing rules, and budget caps. No cross-tenant data leakage by design.

Network Architecture

All requests proxied through Cloudflare edge (280+ cities). No origin server to attack. D1, KV, and R2 access only via Worker bindings — not public endpoints. Zero exposed infrastructure.

Authentication

How authentication works

Three authentication mechanisms, each designed for its specific use case.

Google OAuth SSO

Passwordless login for portal and marketplace users.

1. Google OAuth redirect

2. API callback → D1 user upsert

3. Session cookie issued

4. Domain=.workjet.dev

API Keys

Programmatic access for desktop app and integrations.

Prefix

wj_live_*

Storage

SHA-256 hash in D1

Scope

Tenant-scoped, shown once

Cross-subdomain Sessions

Single sign-on across all Workjet subdomains.

portal.workjet.dev Admin dashboard
marketplace.workjet.dev Skill discovery
api.workjet.dev API & gateway

Shared via Domain=.workjet.dev cookie with 30-day expiry

Have security questions?

Our team is happy to walk through our architecture and security practices in detail.

Contact security team Read security docs