Security

Authentication

Official connector access uses OAuth authorization-code flow with PKCE, scoped access tokens, refresh tokens, and token revocation.

Temporary internal bearer tokens are for development and operational validation only. They are not a substitute for public connector OAuth.

Secrets And Token Handling

Access tokens, refresh tokens, authorization codes, claim tokens, and edit tokens are treated as secrets. OAuth tokens and codes are stored only as hashes.

Normal MCP production usage does not require user OpenAI, Anthropic, or other model-provider API keys in this app.

Abuse Controls

The service includes per-token, per-account, per-IP, and per-tool rate-limit structure; audit logs; an MCP kill switch; and account/page suspension fields.

Suspended pages are hidden from preview and public rendering, and suspended accounts are blocked from MCP tool calls.

Reporting

Security concerns can be sent to legal@create-web-page.com. Abuse or illegal content reports can be sent to abuse@create-web-page.com or submitted through the report page.