Browse docs

Security

AI Accounting gives agents real write access to your books, so the security model matters. This page covers how the platform protects your data and how to use it safely.

Organization isolation

Each API key is scoped to one organization, and data is protected by row-level security in the database — an authenticated request can only ever read or modify its own organization's ledger. There is no cross-tenant access.

Treat API keys as secrets

A key grants full REST + MCP access to your books. So:

  • Store keys in environment variables or a secrets manager — never in source control, client-side code, or URLs.
  • Use separate keys per integration so you can revoke one without disrupting the others.
  • Rotate periodically, and revoke immediately if a key may have leaked.

See Authentication for rotation mechanics.

Verify webhook signatures

Every webhook delivery is signed with HMAC-SHA256 (X-Webhook-Signature). Verify it against the raw body before acting on a payload, so you only trust events that genuinely came from AI Accounting.

Keep a human in the loop

Agents can post entries, reverse them, and close periods. When you wire an agent to AI Accounting:

  • Require confirmation for writes in your agent's workflow — review before an entry posts, rather than letting the model post unattended.
  • Stage as drafts when unsure: create entries without auto_post so a person can review and post them.
  • Prefer reversals over edits — the immutable audit trail means every change is traceable.

Be aware of prompt injection

If your agent reads untrusted content (emails, documents, web pages), that content could try to instruct it to make unauthorized changes. Constrain what the agent is allowed to do with its AI Accounting key, require human approval for financial writes, and don't give an unattended agent more authority than the task needs.

Connect only trusted MCP clients

When you connect the MCP server to a client, that client gets the same access as the API key you give it. Only connect clients you trust, and double-check the endpoint URL is the official one:

text
https://ai-accounting-software.vercel.app/mcp