Security isn't a feature. It's the architecture.
Cortex uses a Bring Your Own Key model with dedicated server isolation and encrypted vault storage. Your secrets never live on the agent server, every access is logged, and each agent runs in complete isolation.
Get StartedBYOK — Bring Your Own Key
Cortex doesn't hold your LLM API keys. You bring your own.
How it works
- 1.During onboarding, you provide your LLM API key (Anthropic, OpenAI, or other supported providers)
- 2.The key is immediately encrypted and stored in Supabase Vault — backed by Postgres's pgsodium encryption
- 3.The key is referenced by ID — never stored in plain text in any database
- 4.During agent provisioning, the key is pulled through a secure pipeline and written to the agent server as a root-owned environment file (mode 0600)
What this means
- ✓Your key is never visible in the Cortex dashboard
- ✓Your key is never stored in application code
- ✓Your key is never accessible to anyone except the specific agent deployment it's assigned to
- ✓If you revoke or rotate your key, you control that process entirely
Vault architecture
Cortex uses Supabase Vault for all secrets management.
Encryption at rest
Keys are encrypted using pgsodium, the Postgres extension for libsodium-based encryption. Hardware-accelerated, authenticated encryption (XChaCha20-Poly1305).
Reference-based access
The application database stores a reference ID pointing to the vault entry — never the secret value itself. Application code never sees the decrypted key except during the provisioning pipeline.
Scoped naming
Vault secret naming is scoped per-organization and per-deployment to prevent collisions across agents. Organization A's key for Agent 1 cannot be confused with Organization B's key for Agent 2.
Audit logging
Every secret access is logged: who accessed it, when, which deployment, and what operation.
Metadata separation
A dedicated secrets table tracks metadata (organization, deployment, secret name) without exposing values. You can see that a secret exists and which deployment it belongs to, but never its contents.
Server isolation
Every Cortex agent runs on its own dedicated server. This is not multi-tenant container hosting.
Per-agent isolation
- • Dedicated Ubuntu server (2vCPU, 4GB RAM)
- • Own filesystem, processes, and network interface
- • Own SSL certificates via Caddy
- • Own DNS subdomain
- • Own memory stack (Memory API, fact store, QMD hooks)
What isolation prevents
- • No shared memory between customers' agents
- • No shared filesystem access
- • No shared process space
- • No cross-customer network access
- • No noisy-neighbor resource contention
Secret handling on the agent server
- • Environment files are root-owned with mode 0600 (read/write only by root)
- • Secrets are written during provisioning and not accessible to unprivileged processes
- • The agent runtime reads secrets from environment variables — not from files, databases, or API calls
What happens if a server is compromised
In a worst-case scenario where an attacker gains access to an agent server:
What they could find
- • The agent's runtime environment and conversation context
- • Root-owned environment files (requires root escalation)
What they would NOT find
- • Keys in the codebase — they don't exist there
- • Keys in any database — only encrypted vault references exist
- • Other customers' data — servers are fully isolated
- • Vault access credentials — not left on agent servers
Blast radius containment: A compromised server affects one agent for one customer. No lateral movement to other agents or the platform itself.
Cortex vs. common patterns
| Security property | Cortex | Shared API key | .env on server | Multi-tenant container |
|---|---|---|---|---|
| Key encrypted at rest | ✅ Vault (pgsodium) | ❌ | ❌ | Varies |
| Key isolated from app code | ✅ | ❌ | ❌ | Varies |
| Per-agent server isolation | ✅ | ❌ | Depends | ❌ |
| Secret access audit trail | ✅ | ❌ | ❌ | Varies |
| User controls key lifecycle | ✅ BYOK | ❌ | ✅ | ❌ |
| Blast radius contained | ✅ Single agent | Entire platform | Single server | Other tenants at risk |
Your keys. Your servers. Your control.
Deploy an AI agent with enterprise-grade security in 10 minutes.
Get Started