Security and Data Handling
How RelayFox protects webhook traffic and what users should know.
Last updated: July 13, 2026
Security model
Anonymous endpoints are bearer-secret URLs: anyone who knows the random URL can send requests to it and view its anonymous inbox. Account-owned endpoints require the owner or an invited teammate to view history, and CLI access to owned endpoints requires a scoped API token.
Controls
- TLS is required for the public service.
- CLI tokens are stored as cryptographic hashes.
- Platform and proxy credentials are removed from captured headers.
- Server-side replay blocks private, loopback, and metadata addresses.
- Request bodies and endpoint counts are limited by plan.
- Expired endpoints and old request data are removed automatically.
Shared responsibility
Treat endpoint URLs and share links like passwords. Use account-owned endpoints for private work, rotate endpoints after accidental disclosure, verify provider signatures in your application, and avoid sending production secrets or regulated data to testing tools.
Vulnerability disclosure
Send suspected vulnerabilities to security@relayfox.dev. Include reproduction steps and potential impact. Do not access other users' data, run denial-of-service tests, or publish an unresolved issue. Good-faith reports will be investigated promptly.
Incident response
RelayFox investigates credible reports, contains affected systems, rotates exposed credentials where applicable, removes unsafe data, and communicates material incidents to affected users when contact information is available.