Operations

Security

Practices for running Consumo safely in production: least privilege, secrets handling, and data isolation.

Row Level Security

Consumption tables use RLS so each user only reads and writes their own rows. Avoid disabling RLS or using the service role key in browser code.

Provider secrets are encrypted at rest with a server-only key.
Full secrets are not returned from the API after save.
Rotate API_KEY_ENCRYPTION_SECRET carefully — existing ciphertext must be re-encrypted if you change it.

Use HTTPS in production. Keep Supabase JWT settings and redirect URLs aligned with your deployment domain.

Stay current on Next.js and Supabase client patches. Review Vercel security recommendations for your team.

This documentation is not a substitute for a full threat model or compliance review.