Trust center
Security posture for proof-backed billing.
Billabled handles operational time, billing evidence, exports, and API access. This page states practical controls without implying formal certifications or compliance programs.
Report a security concern
Send the affected workspace, endpoint, timestamp, expected behavior, observed behavior, and safe reproduction details. Do not include passwords, API keys, bearer tokens, or payment data.
Contact securityWorkspace isolation
Workspace data access is treated as scoped by workspaceId unless a proven global resource is being accessed.
API key lifecycle
Keys are scoped, revocable, expirable, usage-tracked, shown once, and stored hashed rather than as raw secrets.
Billing boundary
Stripe checkout accepts internal plan IDs only. Public API v1 does not expose billing changes or subscription management.
Export integrity
Exports avoid secrets and include x-billabled-export-sha256 integrity headers where supported.
Public-route checks
API v1 and Stripe webhook routes are public at the proxy layer by design, with authentication or signature checks inside handlers.
Migration safety
Database changes are handled through the migration workflow instead of ad hoc production DDL.
Boundaries that stay out of public API v1
Public API v1 is for scoped operational integrations. Billing changes, invites, subscription management, and destructive workspace administration remain inside authenticated app workflows.