Built to protect your accounts, not just your data.
Relay gives an AI assistant the ability to post on your behalf. That's a significant trust decision. Here's exactly what we built to make sure it's safe.
The most important thing we built
Most social publishing tools protect against external attackers. Relay also protects against the AI itself acting without your explicit approval.
Every post defaults to draft. The AI can write content and save it — but it cannot publish anything to a live social account without a human reviewing and approving it first. This is not a setting or a policy. It is the default code path.
Even if an attacker tricks the AI into calling a publish tool, the result is a saved draft — not a live post.
Prompt Injection
A malicious webpage or document tricks your AI into posting content you didn't approve.
- Every post defaults to draft — even a successfully injected call saves a draft, not a live post
- Claude is given explicit instructions to confirm content, platform, and intent before calling any publish tool
- The dashboard is a second approval gate — drafts require a manual publish action
Rate Abuse
A valid session token used to flood your connected accounts with posts.
- 30 tool calls per minute maximum on the MCP endpoint — enforced at the server level
- Per-platform daily post limits enforced in the database, not the client
- 5 posts per platform per hour hard cap — applies to all accounts regardless of plan
- Duplicate content detection blocks near-identical posts within a rolling time window
Token Exposure
A stolen session token gives an attacker posting access to your accounts.
- Session tokens are separate from your license key — a stolen token cannot access billing or create new sessions
- Platform credentials are encrypted at rest (AES-256-GCM) — the encryption key lives only in the server environment, not the database
- Session tokens expire after 90 days
- One-click session revoke from your Account tab — takes effect immediately
Cross-Account Access
One user's credentials being used to access another user's posts or connections.
- Every request resolves the session token to a specific user ID server-side
- All database queries are scoped to that user ID — there is no endpoint that accepts a user ID directly
- This is structural: a valid session cannot reach another user's data even if manipulated
Replay Attacks
Capturing a valid request and resubmitting it to trigger the same action again.
- Payment webhooks use HMAC-SHA256 signature verification with a 5-minute replay window
- Duplicate content detection catches the same content being re-posted
- Session revoke immediately invalidates all tokens — no waiting for natural expiry
Overly Broad Tool Access
An MCP server that exposes more access than needed — making it a larger attack surface.
- Each tool has one narrow purpose: post, draft, check limits, check risk, view history
- No general-purpose query tools, no admin functions, no file system access
- The MCP server never touches the database directly — all actions go through scoped edge functions with their own auth checks
Credential Exposure
API keys or platform credentials appearing in code, logs, or version control.
- Zero credentials in code — all secrets are environment variables in Railway and Supabase
- The database service key never reaches the browser or client
- Tokens and keys are never written to logs
- The MCP server codebase is not publicly hosted
Summary
| Threat | Primary Defense | Enforcement Layer |
|---|---|---|
| Prompt injection | Draft-first architecture | Code default |
| Rate abuse | Hourly + daily caps | Server-side (database) |
| Token exposure | AES-GCM encryption + revoke | Server environment |
| Cross-account access | User ID scoped queries | Database layer |
| Replay attacks | HMAC-SHA256 + time window | Edge function |
| Broad tool access | Narrow-scope tools only | API design |
| Credential exposure | Environment variables only | Infrastructure |
Questions about security?
If you're evaluating Relay for agency or enterprise use and have specific security questions, reach out directly.