Security

A brief summary of the security posture for the Simple Developer Platform.

API keys

Every request to the platform is authenticated with a bearer token (Authorization: Bearer sk_live_…). Keys are provisioned per developer account and carry an individual quota. If you believe your key has been compromised, contact support@meetsimple.co immediately so we can revoke it.

Transport

All API traffic runs over HTTPS. There is no HTTP fallback. The MCP server uses Streamable-HTTP transport (POST to /mcp) over the same HTTPS endpoint.

Rate limiting and abuse prevention

Requests are rate-limited per API key. Usage warnings fire at 80 % and 100 % of your monthly quota; requests are declined at the hard cap. Requests beyond the per-minute burst limit receive a 429 Too Many Requests response. These limits protect all users of the shared infrastructure. Nothing drops silently.

Data handling

Email addresses submitted to the verification API are processed in-flight to check syntax, MX records, and disposable-domain lists. They are not stored after the response is returned. Quota counters and billing metadata are stored per key. See the Privacy page for the full data-handling disclosure.

Responsible disclosure

If you discover a security vulnerability in the platform, please report it to support@meetsimple.co. We will acknowledge reports promptly and work to address confirmed issues.