Security
Learn about the security measures in place for the Open Data Dictionary API.
Token Storage
Your API tokens are hashed using SHA-256 before storage. We never store raw tokens — only the hash is persisted. This means even in the event of a data breach, your token cannot be recovered.
Read-Only Access
API tokens only allow read access to the dictionary. They cannot modify, create, or delete data. Write operations require authentication through the web application.
Token Rotation
You can regenerate your token at any time from your Account Settings. Regenerating immediately revokes the old token — any requests using it will return 401 Unauthorized.
HTTPS Only
All API requests are encrypted in transit using TLS/HTTPS. Plain HTTP requests are rejected.
If Your Token Is Compromised
If you suspect your token has been exposed:
- Regenerate immediately — Go to Account Settings and click "Generate API Token". This revokes the old token instantly.
- Update your configurations — Replace the token in your Claude Desktop, Cursor, or other MCP client configs.
- Review usage — Check your API usage on the settings page for any unexpected activity.
Best Practices
- Use environment variables — Store your token in environment variables, not directly in config files that may be committed to version control.
- Never share tokens — Each user should generate their own token. Do not share tokens across team members.
- Rotate regularly — Tokens expire after 30 days. Regenerate proactively rather than waiting for expiry.
- Restrict access — Only configure the token on machines and tools you control.
Data Privacy
- The API provides read-only access to publicly approved dictionary terms. No private or user-specific data is exposed through the API.
- API request logs are retained for rate limiting and abuse prevention only.
- No personally identifiable information (PII) is returned in API responses.
Security concerns?
If you discover a security vulnerability, please report it in our Slack community.