yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update security.md to reflect current gateway token behavior

Browse Source 
The has_token redaction was reverted to avoid a frontend breaking
change. Update docs to match: tokens are currently returned in API
responses, redaction is planned for a future PR. Also note the
configurable payload size limit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-03 22:55:32 -07:00
committed by Abhimanyu Saharan
parent a66765a514
commit 84a5d8677e
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/reference/security.md
View File

@@ -39,11 +39,11 @@ Missing or invalid signatures return `403 Forbidden`. If no secret is configured
## Webhook payload size limit
Webhook ingest enforces a **1 MB** (1,048,576 bytes) payload size limit. Both the `Content-Length` header and the actual streamed body size are checked. Payloads exceeding this limit return `413 Content Too Large`.
Webhook ingest enforces a payload size limit (default **1 MB** / 1,048,576 bytes, configurable via `WEBHOOK_MAX_PAYLOAD_BYTES`). Both the `Content-Length` header and the actual streamed body size are checked. Payloads exceeding this limit return `413 Content Too Large`.
## Gateway token redaction
## Gateway tokens
Gateway tokens are never returned in API responses. The `GET /api/v1/gateways/*` endpoints return `has_token: true/false` instead of the raw token value. Store tokens securely at creation time; they cannot be retrieved later.
Gateway tokens are currently returned in API responses. A future release will redact them from read endpoints (replacing the raw value with a `has_token` boolean). Until then, treat gateway API responses as sensitive.
## Container security