Security

Authentication

Official connector access uses OAuth authorization-code flow with PKCE, scoped access tokens, refresh tokens, and token revocation.

Create Web Page will never ask for Google, OpenAI, Anthropic, ChatGPT, Claude, browser, or device passwords.

Secrets And Token Handling

Access tokens, refresh tokens, authorization codes, claim tokens, and edit tokens are treated as secrets. OAuth tokens and codes are stored only as hashes.

Operational request summaries are redacted for token-like, password-like, code-like, and credential-like fields before storage and review.

Normal MCP production usage does not require user OpenAI, Anthropic, or other model-provider API keys in this app.

Abuse Controls

The service includes rate limits, audit trails, abuse reporting, and account/page suspension controls.

Suspended pages are hidden from preview and public rendering, and suspended accounts are blocked from MCP tool calls.

Reporting

Security concerns can be sent to legal@create-web-page.com. Abuse or illegal content reports can be sent to abuse@create-web-page.com or submitted through the report page.