Security

Security at Cast

Your API credentials and workspace configuration are sensitive. Here's exactly how we protect them. No vague promises — concrete practices, named algorithms, real architecture.

AES-256-GCM encryption at restTLS 1.2+ in transitZero plaintext secretsNo credential loggingEncrypted Redis cacheScoped internal API tokens
🔐

Secret encryption

Every secret you store in Cast — API keys, OAuth client credentials, Bearer tokens, passwords — is encrypted before it touches the database. We use AES-256-GCM with a randomly generated 96-bit IV per secret. The encryption key is stored separately from the database, rotated on schedule, and never logged.

Secrets are decrypted in memory only at request time, used for the upstream API call, and immediately discarded. They are never returned by the Cast API or visible in any log.

🌐

Transport security

All traffic between MCP clients and Cast runs over HTTPS with TLS 1.2+. Connections are terminated at our load balancer (AWS ALB) with modern cipher suites only. HTTP requests are automatically redirected to HTTPS.

Traffic between Cast and your upstream API uses HTTPS where your API supports it. We do not downgrade connections.

🗄️

Database & storage

All database fields containing secrets use column-level AES-256-GCM encryption in addition to database-level encryption at rest. MySQL TLS is enforced — connections without SSL are rejected.

OpenAPI specs you upload are stored in S3 with server-side encryption (SSE-S3). Specs are scoped to your workspace and not accessible by other users or workspaces.

Redis cache

Workspace configurations cached in Redis — including decrypted auth credentials used for hot-path token injection — are stored encrypted. The Redis instance is not exposed to the public internet.

Cache entries have TTLs (default 1 hour) and are evicted on workspace config changes via an internal reload API protected by a shared secret.

🛡️

Access control

The Cast internal API (used for cache reloads and provisioning) is protected by a separateINTERNAL_MCP_SECRET not shared with end users. Each service authenticates with the minimum required privilege.

Database credentials, encryption keys, and service secrets are managed via environment variables and AWS Secrets Manager in production. No secrets are committed to version control.

📋

Audit logging

Every tool call through a Cast MCP server is logged with: timestamp, tool name, workspace ID, HTTP status code, latency, and anonymized client identifier. Request and response bodies are not logged to prevent credential leakage in payloads.

Logs are available to workspace owners in the Cast dashboard. Logs are retained for 90 days and then permanently deleted.

Responsible disclosure

If you discover a security vulnerability in Cast, please report it to us before disclosing it publicly. We commit to acknowledging reports within 24 hours, investigating within 7 days, and providing a timeline for remediation.

security@getcast.io

What we don't do

  • Log API credentials, tokens, or passwords in plaintext
  • Return secrets via the Cast dashboard API
  • Share your API specs or call logs with third parties for advertising
  • Use your data to train AI models
  • Store card details (payment is handled by Telr)