Charon Gate
Security & trust
This page summarizes how Charon Gate handles verification, encryption, and tenant isolation. Deeper technical material is available to customers and prospects on request.
Threat assumptions
Operators hold infrastructure secrets (database, Redis, signing keys). Customers control destination URLs and optional outbound auth material. Inbound traffic may be hostile; ingest applies size limits and rate limits.
Inbound verification
Raw bodies are stored for verification and replay. Stripe and GitHub adapters verify HMAC signatures with constant-time comparisons where applicable; Stripe enforces a timestamp window. Generic mode accepts common webhook signature headers over the raw body.
At-rest encryption
Signing secrets and destination auth payloads are encrypted with AES-256-GCM. Secrets are never returned from APIs after creation.
Outbound forwarding
Destinations must use HTTPS unless an endpoint explicitly allows insecure mode (local development only). Charon attaches versioned Charon-* headers including an outbound signature derived from operator-controlled signing material.
Authentication & isolation
The dashboard and JSON APIs authenticate via Clerk (browser sessions) and tenant-scoped API keys. Every query is constrained by tenant_id.
Contact
For procurement or security review detail, contact us directly.