Security

Security model for public beta teams.

EventStack's MVP security posture centers on tenant isolation, API-key scoping, replay safety, secret redaction, and honest public claims.

• Tenant-owned routes and rows are scoped by `organization_id`.
• API keys bind requests to one organization and environment.
• Public status and changelog responses are explicitly redacted.
• Session-authenticated billing and API-key mutations require reauthentication.
• Webhook, Stripe, email, and API secrets must never be logged or returned after save.