Trust center
Security posture for proof-backed billing.
Billabled handles operational time, billing evidence, exports, and API access. This page states practical controls without implying formal certifications or compliance programs.
Report a security concern
Send the affected workspace, endpoint, timestamp, expected behavior, observed behavior, and safe reproduction details. Do not include passwords, API keys, bearer tokens, or payment data.
Contact securityWorkspace isolation
Workspace data access is treated as scoped by workspaceId unless a proven global resource is being accessed.
API key lifecycle
Keys are scoped, revocable, expirable, usage-tracked, shown once, and stored as hashes rather than full secret values.
Billing boundary
Stripe checkout accepts Billabled workspace plans only. The API does not expose billing changes or subscription management.
Export integrity
Exports avoid secrets and include x-billabled-export-sha256 integrity headers where supported.
Public-route checks
API and Stripe webhook routes are internet-facing by design, with authentication or signature checks on every protected request.
Migration safety
Database changes are handled through a reviewed migration workflow instead of one-off production edits.
Boundaries that stay inside Billabled
The API is for scoped operational integrations. Billing changes, invites, subscription management, and workspace administration remain inside authenticated app workflows.