Security boundaries

Yalla treats credentials as never-leave-the-backend data. This documentation, the CLI, and the control plane follow the same boundary.

Never exposed

• API keys, bearer tokens, and session tokens are never stored in browser storage.
• Secret variable values are redacted after creation and never echoed back.
• Connection strings and private runtime provider names never appear in public docs.
• Logs, telemetry, and screenshots are scrubbed of secret-shaped values.

Reporting an issue

Include the request_id from the error envelope when you contact support — it lets us trace the request without exposing any secret.