Skip to main content

Security

GhostPour is designed to be server-authoritative. Knowing how it works doesn't help bypass it. That's the whole point of open-sourcing it.

Security Model

Server-Side Tier Enforcement

JWTs contain only the user's identity, never their tier or allocation. Every request reads the user's tier from the database. There is no way for a client to "upgrade itself" by modifying requests or tokens.

API Keys Never Leave the Server

Your LLM provider credentials stay in server-side environment variables. The iOS app never sees upstream API keys. Requests are proxied through GhostPour, so users interact with your API, not your provider's.

Apple Sign In Verification

Identity tokens are verified against Apple's JWKS endpoint with bundle ID validation. Tokens from other apps are rejected. This prevents cross-app token reuse.

Server-Side Cost Tracking

Every request's cost is calculated and deducted server-side. Replaying requests still costs the attacker their own quota. There's no client-side honor system for usage.

SSL Certificate Pinning

The iOS client pins certificate authority public keys on all GhostPour API calls. This blocks MITM proxy tools from intercepting traffic, even on jailbroken devices. Pinning covers authentication, chat, subscriptions, remote config, and feature service calls.

Service-to-Service Authentication

Internal service communication (between GhostPour and feature services like Context Quilt) uses JWT bearer token authentication with registered app credentials. Legacy authentication methods are disabled once JWT auth is enforced.

HTTPS Everywhere

All traffic is encrypted with TLS via Let's Encrypt. HTTP requests are automatically redirected to HTTPS.

What This Means for Deployers

When you deploy GhostPour for your own app, the security model protects you in three ways:

  1. Your API keys are safe. Users never see your LLM provider credentials, even if they inspect network traffic.
  2. Your revenue is protected. Tier enforcement and cost tracking are server-side. Users can't bypass subscription limits.
  3. Your users are protected. Apple Sign In verification and certificate pinning keep authentication secure.

Best Practices

  • Use a strong, randomly generated JWT secret (minimum 32 characters)
  • Keep admin keys secret and rotate them periodically
  • Never commit .env or credential files to version control
  • Store all provider API keys in environment variables, not config files
  • Restrict admin panel access to trusted IP addresses
  • Consider shorter JWT lifetimes (60 minutes) if your app supports token refresh

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly.

Do not open a public GitHub issue for security vulnerabilities.

Email security@ghostpour.com or use GitHub's private vulnerability reporting.

Response timeline:

  • Acknowledgment within 48 hours
  • Assessment within 1 week
  • Critical fixes within 72 hours

In scope: authentication bypass, authorization flaws, API key exposure, injection vulnerabilities, rate limit bypass.

Out of scope: denial of service, upstream LLM provider issues, social engineering.