Security.

Transport

Headers

Errors

All non-success responses ship as application/problem+json (RFC 7807) with {type, title, status, detail, instance}. The type URI points at the methodology section that explains the relevant problem class.

Admin surface

Admin endpoints (e.g. /v1/admin/usage) require a bearer token (AMANOKI_METRICS_TOKEN). When the token is unset, or the bearer doesn't match, the endpoint returns 404 Not Found with no hint that the endpoint exists. Presence is not leaked.

Authentication

Public endpoints are currently callable without an API key. When paid tiers open, keys will be issued through the billing flow; rate limits and tier gating will apply. The endpoint shapes stay the same under either regime.

Data collected

Third parties

Reporting

Vulnerability disclosures will open alongside the billing flow. Until then, the scope is small enough that direct inspection of the methodology is the intended audit path.