Security

How we keep your data safe.

Architecture

linuxtoaster uses a two-component architecture designed for security and performance:

• toast — Lightweight CLI that talks to the local daemon
• toastd — Local daemon that manages connections and API keys

Your API keys never leave your machine. The toastd daemon holds credentials in memory and makes authenticated requests on your behalf.

BYOK Security

When using Bring Your Own Key:

• Your API keys are read from PROVIDER_API_KEY environment variables.
• Requests go directly from toastd to the AI provider
• Format normalization is performed locally by toastd
• linuxtoaster.com never sees your keys or request content

Managed Service Security

When using linuxtoaster's managed API:

• Requests are proxied through linuxtoaster.com
• We authenticate and route to the appropriate provider
• You only need one account to use many providers.
• We log metadata (token counts, timestamps) for billing
• We do NOT log prompt content or responses

Local Storage

Sensitive files are protected with appropriate permissions:

Project files (.crumbs, .chat, .persona) use standard file permissions and are not encrypted. Treat them like any other source file.

Network Security

• HTTP/2 with TLS 1.3 for all connections
• Certificate pinning for linuxtoaster.com
• Connection pooling via toastd reduces overhead
• No telemetry or analytics without explicit opt-in

Vulnerability Disclosure

Found a security issue? We appreciate responsible disclosure.

Email security@linuxtoaster.com with details. We'll respond within 48 hours and work with you on a fix timeline.

Please do not publicly disclose vulnerabilities until we've had a chance to address them.

Audit & Compliance

We welcome security audits from qualified researchers. Contact us for access to discuss audit arrangements.