Security Model
How MyClaude protects user accounts, product files, payment data, and marketplace integrity through layered security controls.
MyClaude protects users through 6 security layers: JWT-based authentication, database-level ownership rules blocking unauthorized access to sensitive fields, signed URLs for paid file downloads (5-minute expiry), CSRF middleware on all mutations, automated content scanning with 22 malicious pattern detectors, and rate limiting on all API mutation routes. No single control protects everything — a bug in one layer cannot bypass the others.
Authentication
Every user session is backed by Firebase Authentication, which is independent from Anthropic's own authentication systems. MyClaude manages its own user accounts and sessions via Firebase Auth.
When you log in, Firebase issues a JWT (JSON Web Token) that is valid for 1 hour and automatically refreshed client-side.
| Mechanism | Detail |
|---|---|
| Provider | Firebase Auth (email/password, Google OAuth) |
| Token type | Firebase ID Token (JWT, RS256 signed) |
| Token expiry | 1 hour, auto-refreshed by Firebase SDK |
| Token delivery | Authorization: Bearer {token} on every API request |
Unauthenticated users can browse public product listings. Any action that writes data — purchasing, publishing, downloading a paid file — requires a valid token.
Authorization
MyClaude uses a dual-layer architecture. The server handles all privileged operations with full data access; the client is scoped to public reads and authenticated user operations.
| Context | Layer | Role |
|---|---|---|
| Server-rendered pages (SSR) | Server | Read product/user data |
| API Routes (mutations) | Server | Verify tokens, write orders, generate signed URLs |
| Browser (client components) | Client | Auth state, public reads, user profile updates |
Every API route that performs a mutation follows this verification sequence:
- Extract
Authorization: Bearer {token}from request headers - Verify the token server-side — rejects expired or tampered tokens
- Use the decoded UID to confirm the caller is authorized for the requested resource
- Return
401 Unauthorizedif the token is missing, expired, or invalid
Data Protection
Database security rules enforce ownership at the data layer, independent of application logic. This means a bug in application code cannot grant a user access to another user's private data.
| Collection | Read rule | Write rule |
|---|---|---|
products | Public (published products) | Owner only |
users | Public (profile data) | Owner only |
orders | Owner only | Server-side only (webhook) |
reviews | Public | Authenticated buyers only |
Sensitive fields — such as raw Stripe account identifiers and internal file storage paths — are never included in client-facing API responses.
File Storage
Product files for paid products are never exposed directly to the browser. Raw file URLs are admin-only fields, never included in client-facing responses.
The download flow:
User clicks Download
→ POST /api/products/download (with auth token)
→ API verifies token
→ For paid products: confirms purchase order exists for this user + product
→ For free products: allows immediately
→ Generates a signed URL (5-minute expiry, single-use intent)
→ Returns URL → Client opens in new tab| Control | Value |
|---|---|
| Direct file URL exposure | Never — fileUrl field is server-only |
| Signed URL expiry | 5 minutes |
| Storage bucket read rules | allow read: if false (signed URLs bypass this) |
| Paid product access | Order existence verified before URL generation |
Content Scanning
Every product submitted via myclaude publish passes through the CONDUIT pipeline before appearing on the marketplace. The pipeline runs myclaude validate against the product bundle.
| Check | What it detects |
|---|---|
| Secrets scan | API keys, tokens, credentials, private keys |
| Malicious patterns | Shell injection, network exfiltration patterns |
| Prohibited content | Content policy violations (see Content Policy) |
| Manifest validation | Required vault.yaml fields, version format, category validity |
Products that fail any scan are rejected before listing. Creators receive a specific error message identifying the violation.
Payment Security
Payments are processed entirely by Stripe. MyClaude never handles raw card data.
| Control | Detail |
|---|---|
| Payment processor | Stripe (PCI DSS Level 1 certified) |
| Creator payouts | Stripe Connect Express — MyClaude never holds creator funds |
| Order creation | Server-side only, triggered by Stripe webhook |
| Webhook verification | Every webhook signature is cryptographically verified before processing |
| Platform fee | 8% retained via Stripe Connect application fee |
Orders are created exclusively by the Stripe webhook handler. There is no client-side code path that can create an order. A buyer purchasing a product through any means other than Stripe checkout will not receive a valid order record, and will be denied file access.
Rate Limiting
All mutation API routes are protected by server-side rate limiting to prevent abuse.
| Endpoint category | Limit |
|---|---|
| Auth-required mutations | 60 requests / minute per user |
| Stripe checkout initiation | 10 requests / minute per user |
| File download | 20 requests / minute per user |
Related pages
- Vulnerability Disclosure — how to report security issues
- Trust & Safety — content enforcement and marketplace integrity
- Content Policy — prohibited content rules
- Claude Code documentation — official Claude Code reference from Anthropic
Design System Reference
Complete reference for MyClaude's design system: color tokens, typography scale, surfaces, glow shadows, motion, z-index, spacing, component inventory, and the token-only enforcement policy.
Creator Security Guide
Security best practices for MyClaude product creators: protecting your accounts, passing content scans, designing secure products, and responding to reports.