Security & compliance
How MailAgent handles access control, tenant isolation, secrets, and operational change management. This is an engineering summary — not a SOC 2 certificate.
Report a vulnerability
Do not file public GitHub issues for security-sensitive reports. Use private vulnerability reporting or email hello@webmailagent.com. Full policy: SECURITY.md.
Access control (CC6)
| Control | Implementation |
|---|---|
| API authentication | Bearer API keys; scoped keys (labelPrefix, readOnly) |
| MCP OAuth | client_credentials JWT (mat_) + optional Auth0 OIDC |
| Team isolation | Team-scoped keys, domains, inboxes, audit events |
| Secrets in clients | No API keys in static bundles; env / Worker secrets only |
Scoped keys guide → · MCP OAuth →
Operations (CC7)
| Control | Implementation |
|---|---|
| Deploy gate | test:prod:gate on push; full test:prod on tag v* |
| Audit log | GET /v1/audit · retention cron (AUDIT_RETENTION_DAYS) |
| Rate limits | Per-key KV-sampled limits; plan tiers in GET /v1/me |
Change management (CC8)
- MIT source on GitHub — PR + CI required
- SQL migrations in
migrations/; optionaldb:migrateon deploy - Versioned npm packages
@mailagent/*and API hubGET /v1/agent
Enterprise tenant isolation
Enterprise teams can attach a dedicated Resend account for custom domains, per-team inbound webhooks, and outbound send — isolated from the shared hosted Resend quota.
- Resend API keys encrypted at rest (AES-256-GCM, PBKDF2-derived key from Worker secret)
- Per-team webhook path:
POST /webhooks/resend/team/:teamId - Configure in Dashboard or
PUT /v1/team/dedicated-resend
Dedicated Resend setup → · Enterprise overview →
Availability (A1)
- Cloudflare Workers edge deployment
- Email queue DLQ:
mailagent-email-dlq - Self-host option — no vendor lock-in (Integrate)
Before SOC 2 Type II
Outstanding for a formal audit (not blockers for self-host or enterprise pilot):
- Independent penetration test report — vendor scope: PENTEST-PREP.md
- Operator access policy (draft): OPERATOR-ACCESS.md
- SLA and support tiers (planned with Stripe billing — currently on hold)
Internal baseline: npm run doctor:security · control mapping:
docs/SOC2.md
Enterprise contact: hello@webmailagent.com