Security

Last updated: June 2026

Reporting a vulnerability

If you discover a security vulnerability in Jobclaw, please disclose it responsibly by emailing security@jobclaw.fyi. We will respond within 48 hours and aim to patch confirmed issues within 7 days.

API key handling

OpenAI API keys are stored locally on your machine at ~/.jobclaw/secrets.json with file permissions set to 600. They are never sent to Jobclaw servers.

Authentication

User sessions are managed via Supabase Auth with short-lived JWTs. We recommend enabling two-factor authentication on your linked GitHub account.

Data in transit

All communication between the Jobclaw CLI, API, and web app is encrypted via TLS 1.2+.