Security
Security posture for OneAI API customers.
OneAI is designed as API infrastructure: hashed API keys, scoped access, usage logs, billing controls, request IDs, and model routing policies. It coordinates intelligence; OneClaw and bots handle execution.
API key hygiene
Keys are stored hashed on the API side. Create separate keys per environment and revoke leaked keys immediately.
Usage and cost controls
Track provider, model, token usage, estimated cost, latency, and requestId for customer support.
Provider policy
Use provider/model allowlists, routing modes, fallbacks, and maxCostUsd to keep production calls controlled.
Model readiness
Model registry, catalog sync, pricing coverage, and one-model-at-a-time health checks help operators verify providers before customer traffic.
Request observability
Every commercial call can be tied back to requestId, provider, model, usage, latency, error state, and API key.
Execution boundary
OneAI returns plans, structured decisions, and coordination outputs. Direct execution stays outside the OneAI API boundary.
Operational recommendation
Keep secrets server-side, pass requests through your backend, set idempotency keys for retries, and monitor usage daily before increasing customer limits.
Production checklist
- Separate prod and dev API keys
- Set monthly budgets and maxCostUsd
- Enable Stripe billing before paid traffic
- Review Usage for errors and cost spikes
- Health-check new providers before exposing them