// Security

Bindify uses zero-knowledge encryption. We cannot read your credentials — even if we wanted to.

Your OAuth tokens are encrypted using a key that only exists in your secret URL. Bindify never stores the decryption key. If our entire infrastructure were compromised, attackers would get encrypted blobs they cannot decrypt. Here is exactly how it works.

// Zero-knowledge encryption

Your secret URL:
https://api.bindify.dev/s/{secret1}/{secret2}/sse

secret1 = lookup key (stored by Bindify)
secret2 = encryption key (NEVER stored by Bindify)

Your OAuth tokens are encrypted with AES-256-GCM
using a key derived from secret2 via HKDF.

On every request:
1. secret1 finds your connection in our database
2. secret2 decrypts your tokens in memory
3. Tokens are forwarded to the upstream service
4. Nothing is stored in plaintext. Ever.

This means:

Your secret URL and API key are shown once when you connect a service. We never display them again because we never store them. If you lose them, you reconnect (a new OAuth flow generates fresh credentials).

// API key authentication

In addition to secret URLs, Bindify offers API key authentication for programmatic access and CLI tools like Claude Code.

Your API key:
bnd_{secret1}_{secret2}

Same dual-secret system as the URL:
secret1 = lookup key (stored by Bindify)
secret2 = encryption key (NEVER stored by Bindify)

Used via HTTP header:
Authorization: Bearer bnd_{secret1}_{secret2}

The API key is derived from the exact same two secrets as the URL. It provides identical zero-knowledge security guarantees:

When to use which:

Both methods are equivalent. Choose whichever fits your client.

// The math: dual secret URLs

Every Bindify connection uses two independent UUID v4 values in the URL path:

https://api.bindify.dev/s/{uuid-1}/{uuid-2}/sse

Each UUID v4 = 122 random bits
Two UUIDs = 244 random bits
Total space = 2^244 = 2.8 × 10^73 combinations

To put that in perspective:

Total possible URLs: 2.8 × 10^73
Active connections: ~1,000 (generous estimate)
Probability per guess: 3.6 × 10^-71

Powerball odds: 1 in 2.9 × 10^8
Winning Powerball 9x: 1 in 1.2 × 10^76

Guessing a Bindify URL is comparable to winning the Powerball 9 times in a row.

// What we do to protect you

HTTPS encryption

All traffic between Claude and Bindify is encrypted with TLS. Your secret URL is never transmitted in plaintext.

Rate limiting

Aggressive rate limits on all endpoints. Brute-force enumeration of URLs is computationally impossible and would be blocked long before making progress.

Bot detection

Automated scanning and enumeration attempts are detected and blocked at the edge.

Zero-knowledge token storage

Your OAuth tokens are encrypted at rest using AES-256-GCM with a key derived from your secret URL. The decryption key is never stored by Bindify — it exists only in the URL you control. Even a full infrastructure compromise cannot expose your credentials.

Instant revocation

You can revoke any connection instantly from your dashboard. The secret URL stops working immediately. You can also regenerate a new URL at any time.

No request logging

We do not log, store, or inspect the content of MCP requests or responses. We track only metadata (timestamps, status codes) for monitoring and debugging.

// Honest risk assessment

RISK: If someone obtains your secret URL, they can access
your connected service until you revoke it.

This is the same risk model as:
- API keys
- Webhook URLs (Slack, Discord, etc.)
- Pre-signed S3 URLs
- Git remote URLs with tokens

The URL itself is the credential. Treat it like a password:

This is a deliberate trade-off: permanent convenience in exchange for treating a URL as a secret. We believe this is the right trade-off for most users, and it is the same model used by thousands of production APIs and webhooks across the industry.

// Questions?

If you have security concerns or want to report a vulnerability, contact us at [email protected].