Supr.technology
PricingUse CasesHow It WorksDocsSupportLog inStart trial

Trust

Security at Supr

Last updated: July 2, 2026

Supr is built around a simple boundary: customers use the SaaS dashboard and approved API routes, while the raw agent execution runtime stays behind Cloudflare and service-to-service authentication. That gives builders a full agent experience without exposing runtime credentials or direct execution URLs.

Security model in plain English

The public site explains Supr, the app handles the customer workflow, the Worker API enforces account state and plan limits, and the private Google Cloud runtime does the agent work only after Cloudflare has approved the request.

  • Protected customer routes and separate admin-only routes.
  • Stripe webhook signature verification before billing state changes.
  • Usage and billing checks before an agent run is allowed.
  • Short-lived signed launch context for full-screen agent access.

Platform boundaries

Supr uses Cloudflare Pages for the public site, customer app, admin app, and documentation. Cloudflare Workers provide the API boundary for authentication, billing, usage enforcement, webhook handling, audit records, and approved agent proxy requests. The Google Cloud runtime is not intended to be accessed directly by customers.

Account and route protection

Customer dashboard routes require authentication. Admin dashboard routes require an admin role. Sessions are managed through the API layer, and sensitive account actions are tied to organization and user context rather than trusting browser-provided identifiers.

Agent run protection

Before Supr starts agent work, the API checks the signed-in user, organization, project, subscription status, plan limits, usage state, autonomy level, and approval policy. Approved requests include only the context needed by the runtime: user ID, organization ID, project ID, plan limits, autonomy settings, approval policy, project context, and prompt.

Billing and webhook security

Stripe handles payment details. Supr stores Stripe customer and subscription identifiers, subscription status, cancellation state, and billing events needed to enforce access. Stripe webhook events are verified before they update subscription state or unlock paid features.

Usage, audit, and abuse controls

Every agent run creates a usage record. Supr uses those records to enforce plan limits, explain billing, investigate support cases, and detect suspicious usage. Rate limits, audit logs, admin views, and policy enforcement give the platform a record of important account, billing, and runtime actions.

Secrets and infrastructure

Runtime credentials, Stripe secrets, service tokens, and signing keys belong in environment variables or platform secret stores. They should not be committed to the repository, placed in frontend bundles, or copied into support tickets.

Responsible disclosure

If you believe you found a vulnerability, email editor@mr.technologywith the affected URL, steps to reproduce, impact, and any safe proof of concept. Do not access, modify, delete, or exfiltrate data that is not yours.

Supr.technology

Supervised AI project workers for solo developers, founders, and small teams shipping real software.

ProductPricingUse CasesHow It WorksDocsSupport
TrustSecurityRefund PolicyCookie NoticeAcceptable Use
LegalTermsTerms and ConditionsPrivacyContact