Security is not a feature.
It's the foundation.
Financial data demands the highest standard of protection. Every layer of aiPay.sh is designed with security as the default, not an afterthought.
Six layers of protection.
PAN and CVV are encrypted with AES-256-GCM using a random initialization vector per field. Card data is never stored in plaintext. Decryption occurs only on your explicit request through the CLI, MCP, or API. Encryption keys are rotated on a regular schedule.
Authentication uses 32-byte cryptographically random tokens delivered via magic link. Tokens are single-use with a 15-minute expiry. No passwords are stored. API keys are generated with sufficient entropy and scoped to your organization.
Session tokens are signed with a 256-bit secret using HMAC-SHA256. Tokens are stored locally with file permissions restricted to mode 0600 (owner read/write only). Sessions expire after 30 days and can be revoked manually.
Every MCP request is authenticated with your JWT. No shared credentials between users or agents. Destructive actions (card creation, payments) require human approval. Read-only actions execute without prompting.
Each registered agent receives its own API key with scoped permissions. One compromised agent cannot access another agent's cards, IBANs, or funds. Agent credentials can be rotated independently without affecting other agents.
Every action is logged with timestamp, actor (user or agent), resource affected, and context. Audit logs are immutable and retained for 7+ years. Exportable as CSV or JSON. Stream live with the audit log command.
Standards and certifications.
Card data handling follows PCI DSS requirements. Encryption at rest, tokenization in transit, and strict access controls.
Full compliance with EU data protection regulations. Data minimization, right to erasure, and data portability supported.
Security, availability, and confidentiality controls independently audited. Comprehensive controls for financial data handling.
Found a vulnerability?
We take security reports seriously. If you've found a vulnerability in our platform, please report it responsibly. We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours.