Authentication & Security
Arrotech Hub prioritizes the security of your data and integrated platforms. All API requests must be authenticated and transmitted over HTTPS.
API Keys
We use standard Bearer Token authentication. You can generate and manage your API keys in the Arrotech Dashboard.
Usage
Include your API key in the Authorization header of every request:
Authorization: Bearer <your_api_key>
Security Best Practices
- Server-Side Only: Never expose your Arrotech API key in client-side code (browsers, mobile apps). Always proxy requests through your own backend.
- Rotation: Rotate your keys periodically or immediately if you suspect they have been compromised.
- Scoped Access: (Coming Soon) Permissions will soon be granular, allowing you to create keys that only access specific agents or workflows.
Infrastructure Security
- Encryption at Rest: All sensitive connection data (like OAuth tokens for HubSpot or Slack) is encrypted using AES-256 before being stored in our database.
- Encryption in Transit: All traffic is encrypted via TLS 1.3.
- Audit Logging: Every action taken by an AI agent or a manual API call is logged, providing a full audit trail for compliance.
Rate Limits
To ensure system stability, we enforce tier-based rate limits:
| Tier | Rate Limit |
|---|---|
| Free | 50 requests / minute |
| Professional | 500 requests / minute |
| Enterprise | Custom |
If you exceed these limits, the API will respond with a 429 Too Many Requests status code.