Security

Staq is designed with multiple layers of security to protect user data and ensure only authorized @zluri.com employees can access the platform. This page documents our security architecture, the protections in place, and your responsibilities as a user.

Our security approach follows the principle of defense-in-depth: multiple independent checks at different layers ensure that a failure in one mechanism does not compromise the system.

Google OAuth. Staq uses NextAuth v5 (Auth.js) with Google OAuth as the sole authentication provider. Only users with a verified @zluri.com email address can sign in.

Domain gating. The @zluri.com domain restriction is enforced at three independent levels:

• Sign-in callback — Rejects non-zluri.com emails before a session is created
• Middleware — Checks the domain on every page and API request
• Per-route guards — Each API route independently verifies the session

JWT sessions. Authentication sessions use JSON Web Tokens (JWT) with no server-side session storage. Tokens are signed using a server-side secret and contain only basic profile information (email, name, profile picture).

Authentication on every route. All 11 API routes independently verify the user's session and @zluri.com domain before processing any request. This protects against middleware matcher regressions or internal server-side calls that bypass middleware.

Rate limiting. Per-user sliding-window rate limiting is applied to all API endpoints to prevent abuse:

• Standard endpoints: 30 requests per minute
• Image generation: 10 requests per minute
• Batch image generation: 5 requests per minute
• Key validation: 10 requests per minute

Input validation. All API endpoints validate input length and structure before processing. Content inputs are capped at 50,000 characters, and all parameters are type-checked on the server.

No server-side database. Staq does not store user content on the server. All decks, slides, branding profiles, and version history are stored exclusively in the user's browser (localStorage and IndexedDB).

Encrypted cookies. Custom Gemini API keys provided by users are encrypted using AES-256-GCM before being stored in HTTP-only cookies. The encryption key is derived from the server's AUTH_SECRET. These cookies are inaccessible to client-side JavaScript (HttpOnly flag) and are only transmitted over HTTPS (Secure flag).

HTTPS everywhere. All communication between your browser and Staq's server, and between Staq's server and Google's APIs, is encrypted using HTTPS with TLS.

Server-side only. All Gemini API calls are made from Staq's Next.js server, never directly from the browser. API keys are never exposed to client-side JavaScript. This architecture prevents key leakage through browser developer tools, network inspection, or client-side vulnerabilities.

Content transmission. User-provided text content is sent to Google's Gemini API for processing. The transmission is encrypted via HTTPS. Generated content (text and images) is returned to the browser and stored locally.

API key isolation. Staq uses a quad-fallback API key strategy. User-provided keys are encrypted and isolated from the server's environment key. Deleting a user key safely falls back to the environment key without data loss.

Error sanitization. API error responses return generic messages and never expose stack traces, internal file paths, or implementation details. Detailed error information is logged server-side only for debugging purposes.

CSRF protection. Session cookies use the SameSite attribute to prevent cross-site request forgery attacks.

Client-side isolation. Browser storage (localStorage, IndexedDB) is isolated per origin, preventing other websites from accessing Staq's data.

To help maintain the security of your account and data:

• Keep your device secure with a password or biometric lock
• Do not share your authenticated session or allow others to use your account
• Do not share Gemini API keys with unauthorized individuals
• Review all AI-generated content before sharing it externally
• Report suspected security issues to the Zluri security team immediately
• Export important decks regularly — browser data can be lost if storage is cleared
• Clear browser data when using shared or public devices

If you suspect a security vulnerability, unauthorized access, or data breach related to Staq, please report it immediately to the Zluri security or engineering team through internal channels.

We take all security reports seriously and will investigate promptly. Where applicable, affected users will be notified and remediation steps will be communicated.

For security questions, vulnerability reports, or concerns about data protection, contact the Zluri engineering or IT team through internal channels.