Security Model
How MyClaude protects user accounts, product files, payment data, and marketplace integrity through layered security controls.
MyClaude protects users through 6 security layers: Firebase Auth with JWT tokens, Firestore security rules blocking direct client writes to sensitive fields, signed URLs for paid file downloads (5-minute expiry), CSRF middleware on all mutations, automated content scanning with 22 malicious pattern detectors, and rate limiting on all API mutation routes. No single control protects everything — a bug in one layer cannot bypass the others.
Authentication
Every user session is backed by Firebase Authentication. When you log in, Firebase issues a JWT (JSON Web Token) that is valid for 1 hour and automatically refreshed client-side.
| Mechanism | Detail |
|---|---|
| Provider | Firebase Auth (email/password, Google OAuth) |
| Token type | Firebase ID Token (JWT, RS256 signed) |
| Token expiry | 1 hour, auto-refreshed by Firebase SDK |
| Token delivery | Authorization: Bearer {token} on every API request |
Unauthenticated users can browse public product listings. Any action that writes data — purchasing, publishing, downloading a paid file — requires a valid token.
Authorization
MyClaude uses a dual Firebase SDK architecture. The server-side Admin SDK handles all privileged operations; the client-side SDK is scoped to public reads and authenticated user operations.
| Context | SDK | Role |
|---|---|---|
| Next.js Server Components (SSR) | Firebase Admin | Read product/user data server-side |
| API Routes (mutations) | Firebase Admin | Verify tokens, write orders, generate signed URLs |
| Browser (client components) | Firebase Client SDK | Auth state, public reads, user profile updates |
Every API route that performs a mutation follows this verification sequence:
- Extract
Authorization: Bearer {token}from request headers - Call
admin.auth().verifyIdToken(token)— rejects expired or tampered tokens - Use the decoded UID to confirm the caller is authorized for the requested resource
- Return
401 Unauthorizedif the token is missing, expired, or invalid
Data Protection
Firestore security rules enforce ownership at the database layer, independent of application logic. This means a bug in application code cannot grant a user access to another user's private data.
| Collection | Read rule | Write rule |
|---|---|---|
products | Public (published products) | Owner only |
users | Public (profile data) | Owner only |
orders | Owner only | Webhook only (Admin SDK) |
reviews | Public | Authenticated buyers only |
Sensitive fields — such as raw Stripe account identifiers and internal file storage paths — are never included in client-facing API responses.
File Storage
Product files for paid products are never exposed directly to the browser. File URLs in Firestore are admin-only fields.
The download flow:
User clicks Download
→ POST /api/products/download (with auth token)
→ API verifies token
→ For paid products: confirms purchase order exists for this user + product
→ For free products: allows immediately
→ Generates a signed URL (5-minute expiry, single-use intent)
→ Returns URL → Client opens in new tab| Control | Value |
|---|---|
| Direct file URL exposure | Never — fileUrl field is server-only |
| Signed URL expiry | 5 minutes |
| Storage bucket read rules | allow read: if false (signed URLs bypass this) |
| Paid product access | Order existence verified before URL generation |
Content Scanning
Every product submitted via myclaude publish passes through the CONDUIT pipeline before appearing on the marketplace. The pipeline runs myclaude scan against the product bundle.
| Check | What it detects |
|---|---|
| Secrets scan | API keys, tokens, credentials, private keys |
| Malicious patterns | Shell injection, network exfiltration patterns |
| Prohibited content | Content policy violations (see Content Policy) |
| Manifest validation | Required vault.yaml fields, version format, category validity |
Products that fail any scan are rejected before listing. Creators receive a specific error message identifying the violation.
Payment Security
Payments are processed entirely by Stripe. MyClaude never handles raw card data.
| Control | Detail |
|---|---|
| Payment processor | Stripe (PCI DSS Level 1 certified) |
| Creator payouts | Stripe Connect Express — MyClaude never holds creator funds |
| Order creation | Server-side only, triggered by Stripe webhook |
| Webhook verification | stripe.webhooks.constructEvent validates every webhook signature |
| Platform fee | 8% retained via Stripe Connect application fee |
Orders are created exclusively by the Stripe webhook handler. There is no client-side code path that can create an order. A buyer purchasing a product through any means other than Stripe checkout will not receive a valid order record, and will be denied file access.
Rate Limiting
All mutation API routes are protected by server-side rate limiting to prevent abuse.
| Endpoint category | Limit |
|---|---|
| Auth-required mutations | 60 requests / minute per user |
| Stripe checkout initiation | 10 requests / minute per user |
| File download | 20 requests / minute per user |
Related pages
- Vulnerability Disclosure — how to report security issues
- Trust & Safety — content enforcement and marketplace integrity
- Content Policy — prohibited content rules
Admin Panel
Reference for the MyClaude admin panel: role-based access, report management, product quarantine, user moderation, API routes, and audit logging.
Creator Security Guide
Security best practices for MyClaude product creators: protecting your accounts, passing content scans, designing secure products, and responding to reports.