Dib DevelopersSecurity
Dib stores everything from receipts to floor plans. We take API security seriously, and we expect partners to as well.
What Dib does
- Keys are stored as HMAC-SHA256 hashes with a server-side pepper — even a full DB compromise won't leak usable tokens.
- Constant-time comparisons everywhere keys are matched.
- Brute-force suppression: revoked keys are silently tarpitted to avoid leaking which keys ever existed.
- Honeypot routes attached to common scanner paths — hitting them flags the source IP for review.
- GitHub secret-scanning partner: any
dib_live_*discovered in public code is auto-revoked, and the team gets a notification with the leaked path. - Optional spend caps per key for endpoints that incur usage cost (Smart Add, document extract, AI chat).
- Server-side SSRF protections on every endpoint that accepts a user-provided URL (Smart Add, document extract).
What we expect from you
- Server-side only. Never ship keys to a browser bundle.
- One key per environment. Easy revocation, clean audit logs.
- Rotate proactively if a contributor leaves the team.
- Set an IP allowlist on any key that doesn't need to be portable.
- Treat any 401 spike as suspicious — Dib will email you, but alert your own oncall too.
Reporting a vulnerability
Email security@dib.io with details and a proof-of-concept. We respond within one business day and pay bounties on validated issues.