Security

Ingest keys and tokens

Your project ingest key (DEPENDWATCH_INGEST_KEY) is used to authenticate event ingestion from the SDK. We store a hash of the key for verification; we do not store or log the raw key. Keys are shown in full only once at creation or rotation — copy and store them in your environment or secrets manager. Never commit keys to source control or expose them in client-side code. You can rotate keys at any time from Project → Settings → Ingest API keys; the previous key is invalidated immediately.

MCP tokens (for Cursor or other assistants) can be created and revoked in the dashboard. Treat them like secrets; anyone with a token can read project metadata and send test events for that project.

Environment and configuration

We recommend keeping the ingest key and any sensitive configuration in environment variables or a secrets manager. The SDK is designed for server-side use only; do not use it in browser or mobile code where the key could be exposed. Our documentation describes safe patterns for initialization and wrapping API calls.

Session and authentication

Web sessions use HTTP-only cookies. Sign-in is via OAuth (Google, GitHub) or magic-link email. Session data is only used to identify you and enforce access to your workspaces and projects. We do not use it for advertising or third-party tracking.

Data access boundaries

Event and project data are scoped by workspace and project. Only users with access to a workspace can see its projects and metrics. We do not use your event data to train models or for anything unrelated to running DependWatch. Only the small team that operates the service has access to production data.