# Security boundaries

> What Yalla never exposes, and how secrets and tokens are handled.

Yalla treats credentials as never-leave-the-backend data. This documentation, the CLI, and the control plane follow the same boundary.

## Never exposed

- API keys, bearer tokens, and session tokens are never stored in browser storage.
- Secret variable values are redacted after creation and never echoed back.
- Connection strings and private runtime provider names never appear in public docs.
- Logs, telemetry, and screenshots are scrubbed of secret-shaped values.

## Reporting an issue

Include the `request_id` from the [error envelope](/docs/api-envelopes) when you contact support — it lets us trace the request without exposing any secret.

> [!CAUTION]
> If you believe a secret was exposed, rotate it immediately with `yalla variables set <KEY>` and notify support.