Layers
Trust & Compliance

Security Practices

Encryption, access controls, vulnerability disclosure.

View as Markdown

This page describes the current state of our security practices. We only list what we can back up from the codebase or infrastructure configuration.

Encryption

  • In transit. TLS 1.2 or higher required everywhere — api.layers.com, in.layers.com, docs.layers.com and the app are fronted by a managed load balancer with managed TLS certificates. HTTP is redirected to HTTPS.
  • At rest (database). Primary database data is encrypted at rest with AES-256.
  • At rest (object storage). Object storage buckets hosting generated media use provider-managed encryption keys.
  • Column-level secrets. OAuth tokens, CAPI access tokens, webhook signing secrets, and partner API key hashes are additionally protected via a column-level secret store or bcrypt-hashed — see Vault.

Partner API key hashing

Partner API keys take the shape lp_<env>_<keyid>.<secret>. The secret portion is hashed with bcrypt at cost factor 12 before being stored. We store only the hash — if you lose the key, rotate; we cannot send it to you.

Timing-safe verification

Key verification uses constant-time comparison so request-timing can't leak whether a given key prefix exists.

Access controls

Customer-side

  • Row-Level Security (RLS) on tenant tables.
  • Role-based authorization at the API layer; RLS sees the project/org context for every request.

Layers-internal

  • Engineering access to production is scoped and audited.
  • Production access requires authenticated SSO with MFA.

Vulnerability disclosure

Email security@layers.com with repro steps and the requestId of any affected request. We aim to reply promptly and will not pursue legal action against good-faith researchers operating within standard safe-harbor terms.

Layers does not currently run a paid bug-bounty program.

Please don't open public GitHub issues for vulnerabilities.

Supply chain

  • Pull-request-based workflow — no direct-to-prod commits.
  • CI runs typecheck + tests on every PR.

Logging

  • Centralized logging for application + infrastructure logs.
  • Partner API request logs retained 30 days.
  • Raw request/response bodies are not persisted beyond the in-memory request scope.

On this page

EncryptionPartner API key hashingTiming-safe verificationAccess controlsCustomer-sideLayers-internalVulnerability disclosureSupply chainLogging