Security
Built-in security primitives
Last Price ships the primitives you would otherwise have to bolt on. Nothing exotic; the standards, applied per request.
Authentication
JWT tokens (Authorization: Bearer …) and platform API keys (lp_…) with scopes (read · write · admin). JWTs carry tenant_id in the sub claim.
Encryption at rest
Tenant API keys are encrypted with AES-256-GCM. Commerce connector credentials are stored as JSON in beta; envelope encryption is planned before general availability.
Rate limiting
Per-tenant (after auth) and per-IP (in middleware) limiters. Public demo endpoint has its own per-IP cap of 30 calls / hour.
Webhook signatures
HMAC-SHA256 over the raw request body. Verify the X-Signature header before trusting any payload.
Security headers
Middleware sets X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, HSTS in production, and a restrictive Permissions-Policy.
Tenancy isolation
Every request is scoped to a tenant_id resolved from auth. Workspace membership is checked O(1) via wsDb.getTeamMember.
Webhook verifier
Calls POST /api/public/webhook-verify, which uses the canonical verifyWebhookSignaturehelper.
Reporting a vulnerability
Email support@last-price.ai with reproduction steps, affected endpoints, and any logs you can share. Please report privately and do not post about unpatched issues in public. We acknowledge reports within one business day.