Router9
Documentation
Token Plan

Security

Account security, sessions, and best practices

API Key Security

  • API keys use the format sk-r9k-<key> and are hashed with SHA-256 before storage
  • Keys are encrypted at rest using AES-256-GCM
  • The full key is shown only once at creation/regeneration — it cannot be retrieved later
  • A Token Plan can have multiple active keys (up to 5); deleting one revokes it immediately without affecting the others

Best Practices

  • Store keys in environment variables, never in source code
  • Use separate Token Plans (and keys) for different applications
  • Regenerate keys immediately if you suspect exposure
  • Monitor audit logs for unexpected request patterns

Session Management

View and manage your active login sessions at Profile → Security.

Active Sessions

Each session shows:

  • Browser and operating system
  • "This device" badge for your current session
  • IP address and last activity time

Revoking Sessions

  • Click Revoke next to any non-current session to sign it out
  • Click Sign Out All Other Sessions to revoke all sessions except your current one

Account Deletion

To permanently delete your account:

  1. Go to Profile → Security
  2. Scroll to the Danger Zone
  3. Click Delete Account
  4. Type DELETE to confirm

This permanently removes:

  • Your user account
  • All Token Plans and API keys
  • All usage data and audit logs
  • All stored files

This action cannot be undone.

Authentication

Router9 uses passwordless email authentication:

  1. Enter your email address
  2. Receive a 6-digit one-time code via email
  3. Enter the code to sign in

No passwords are stored or transmitted. Codes expire after a short period and can only be used once.

Data Isolation

Each Token Plan provides complete data isolation:

  • API keys are scoped to a single Token Plan
  • Audit logs are per-plan
  • Usage quotas are tracked independently per plan

On this page