Security

When you call a Zephex MCP tool, Zephex receives:

• Your API key as a Bearer token. Keys are hashed in storage and not retained in plaintext.
• The tool name you called.
• The arguments you passed, such as a file path, search pattern, or URL.
• Basic request metadata such as timestamp and IP address for rate limiting and abuse prevention.

Zephex does not receive:

• Your AI model prompt or full chat history.
• The full contents of your repository by default.
• Your editor's surrounding conversation context.

Tool outputs pass through Zephex infrastructure before returning to your editor. Content is not stored beyond what is needed to process the request.

API key hashes are retained for authentication as long as your account is active. Per-request metadata such as tool name, timestamp, and IP address is retained for rate limit enforcement and usage tracking. Tool input and output content is not persistently logged. If you delete your account, account data is removed within 30 days.

Zephex does not use prompts, tool inputs, tool outputs, or code accessed through the tools to train AI models. This applies across all tiers.

• All editor and API traffic is expected to use HTTPS.
• Security headers, redirect behavior, and TLS posture can be validated with audit_headers after deploy.
• The hosted MCP endpoint removes the need for local stdio bridges and local package proxies.

• Failed authentication attempts and unusual request spikes should be monitored.
• Audit logging is used for authentication events and operational changes.
• Rate-limit events and suspicious patterns can be reviewed through operational monitoring.