Agent Plane
Security
Account security, sessions, and best practices
API Key Security
- API keys use the format
sk-r9k-<key>and are hashed with SHA-256 before storage - Keys are encrypted at rest using AES-256-GCM
- The full key is shown only once at creation/regeneration — it cannot be retrieved later
- Each agent plan has exactly one active key; regenerating immediately invalidates the old key
Best Practices
- Store keys in environment variables, never in source code
- Use separate agent plans (and keys) for different applications
- Regenerate keys immediately if you suspect exposure
- Monitor audit logs for unexpected request patterns
Session Management
View and manage your active login sessions at Profile → Security.
Active Sessions
Each session shows:
- Browser and operating system
- "This device" badge for your current session
- IP address and last activity time
Revoking Sessions
- Click Revoke next to any non-current session to sign it out
- Click Sign Out All Other Sessions to revoke all sessions except your current one
Account Deletion
To permanently delete your account:
- Go to Profile → Security
- Scroll to the Danger Zone
- Click Delete Account
- Type
DELETEto confirm
This permanently removes:
- Your user account
- All agent plans and API keys
- All usage data and audit logs
- All stored files
This action cannot be undone.
Authentication
Router9 uses passwordless email authentication:
- Enter your email address
- Receive a 6-digit one-time code via email
- Enter the code to sign in
No passwords are stored or transmitted. Codes expire after a short period and can only be used once.
Data Isolation
Each agent plan provides complete data isolation:
- API keys are scoped to a single agent
- Storage files are prefixed by agent ID and cannot be accessed cross-agent
- Audit logs are per-agent
- Usage quotas are tracked independently per agent