Metera
Sign inGet started
MarketplacePricingDocs
Sign inGet started
security

Security

How we protect your data, your keys, and your payments.

ContentsOur Security CommitmentData EncryptionAPI Key SecurityInfrastructureAuthenticationOn-chain SecurityResponsible DisclosureReport a Vulnerability

Our Security Commitment

Security is foundational to Metera. We handle on-chain payment infrastructure for AI agents — a context where vulnerabilities can have direct financial consequences. We take that responsibility seriously.

This page describes the security practices we follow, how to report vulnerabilities, and what you can expect when you do.

Data Encryption

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. This applies to all user data, API keys, wallet metadata, and payment records stored in our systems.

We do not store private keys on our servers. Wallet signing operations happen client-side or via hardware security modules where applicable.

API Key Security

API keys are hashed using bcrypt before storage — we never store plaintext keys. Keys are scoped by permission level and can be revoked at any time from your dashboard.

We recommend rotating API keys regularly and restricting them to specific IP ranges where possible. Keys exposed in public repositories should be rotated immediately.

Infrastructure

Metera infrastructure runs on isolated environments with strict network segmentation. Services communicate over private networks. Production databases are not accessible from the public internet.

We run automated vulnerability scanning on all dependencies and apply security patches within 48 hours of critical CVE disclosure. Our infrastructure is continuously monitored for anomalous behavior.

Authentication

User authentication is handled via Supabase Auth with support for email/password and OAuth providers. Session tokens are rotated on each request.

We support and encourage the use of strong, unique passwords. Two-factor authentication is available and recommended for all accounts.

On-chain Security

Payments processed through Metera use the x402 protocol on Solana. On-chain transactions are immutable and publicly verifiable. We validate payment proofs server-side before granting API access.

We do not custody user funds. Payments flow directly from payer wallet to developer wallet. Metera does not have signing authority over any user wallet.

Responsible Disclosure

We operate a responsible disclosure program. If you discover a security vulnerability in Metera, please report it to us before making it public. We commit to:

— Acknowledge your report within 24 hours — Provide a resolution timeline within 72 hours — Credit you publicly (if you wish) once the issue is resolved — Not take legal action against good-faith security researchers

Please do not access, modify, or delete user data when testing. Do not perform denial-of-service attacks or automated scanning against production systems.

Report a Vulnerability

Send vulnerability reports to:

security@Metera.dev

Include a clear description of the vulnerability, steps to reproduce, and your assessment of impact. We respond to all reports.