Security & privacy
How Amlexia handles credentials, data, and your responsibilities.
SDK keys
| Rule | Detail |
|---|---|
| Server only | Never embed am_... keys in frontend, mobile apps, or public repos |
| Per project | One key per Amlexia project; revoke and rotate from Settings |
| Ingest auth | Key is sent in the JSON body to ingest.amlexia.com, not as a browser cookie |
DANGER
If a key is committed to git, rotate it immediately in the dashboard and purge it from history if the repo is public.
Dashboard access
- app.amlexia.com uses Clerk authentication — only your team members with accounts can view data.
- Ingest and dashboard are separate surfaces; possessing an SDK key does not grant dashboard login.
What we store
Events contain operational telemetry you send:
- Route/endpoint labels, HTTP method, status, latency
- Optional provider, model, tokens, cost estimates
- Trace/session/user ids you choose to attach
- Metadata JSON you choose to attach
We do not need your application’s database contents or end-user passwords.
Your obligations
- Scrub PII before sending metadata (use internal ids, not emails).
- Do not forward full LLM prompts or payment card numbers in events.
- Use
x-user-id/x-session-idonly with ids your privacy policy allows.
Headers for tracing
| Header | Purpose |
|---|---|
x-session-id | Correlate a browser session (opaque id recommended) |
x-user-id | Correlate a user (use internal id, not email) |
Middleware reads these server-side; they are not required.
Compliance
- Review amlexia.com/security and Subprocessors for infrastructure vendors (e.g. Cloudflare, Clerk).
- For DPA or enterprise security questionnaires: support@amlexia.com.