Platform and payment security

Payments

Card details go directly to Stripe and never touch Kabaido. We store only Stripe's references for your subscription, the plan, the billing interval and the renewal date. Incoming payment events are accepted only with a valid Stripe signature.

Rate limiting

Every public surface is rate limited: the REST API at 600 requests per minute per key, AI request routes per organisation, inbound endpoints per token, the quote portal per link and the OAuth endpoints per address. Limits return clear errors rather than degrading silently.

AI assistant connections

MCP connections are approved by you over OAuth with PKCE, carry explicit scopes capped by your own role and can be revoked at any time from Settings. Access tokens are short lived and refresh tokens expire; a tool call outside the granted scopes returns an error, not data.

Operational hygiene

• Secrets are environment held, never committed and never sent to the browser.
• Webhook delivery failures retry on a fixed schedule and record their last error, visible in Settings.
• Quote validity, token expiry and stale OAuth grants are cleaned by scheduled jobs.
• Money is handled as integer minor units with decimal arithmetic, removing floating point drift from totals.

Reporting a vulnerability

If you believe you have found a security issue, email hello@kabaido.com with the details. We acknowledge reports and keep you informed while we investigate. Please do not test against other organisations' data.