Security

The starter kit incorporates several security measures to protect your application and users when interacting with AI services.

Authenticated endpoints

All AI operation endpoints require user authentication. This is enforced through middleware that verifies the user's session before granting access to any AI features.

Authentication

Learn more about the authentication setup in TurboStarter AI.

The system creates anonymous sessions by default, but you can implement stronger authentication using the core framework's capabilities or the dedicated authentication setup.

Credit-based access

To prevent AI resource abuse, TurboStarter AI includes a credit-based system. Users receive a limited number of credits that are consumed when using AI features.

Billing

Learn more about the billing and credits system.

This approach avoids misuse while enabling potential monetization. Learn about the implementation details in the Core billing documentation.

Rate limiting

API endpoints are guarded by rate limiting to prevent abuse and ensure fair usage. This protects your application from potential denial-of-service attacks and excessive request volumes.

API

Learn more about the API layer and services in TurboStarter AI.

We use hono-rate-limiter, which supports various storage options including Redis, Cloudflare KV, and Memcached for distributed rate limiting.

Secure API key handling

Sensitive API keys for AI providers (OpenAI, Anthropic, Google AI, etc.) are managed exclusively on the backend.

They are NEVER exposed to client-side code, dramatically reducing the risk of key leakage or unauthorized usage.

AI service abuse protection

While TurboStarter AI provides application-level safeguards like credit limits and rate limiting, it's essential to implement additional protection directly with your AI providers.

By combining application-level security with provider-level controls, you'll build truly robust and secure AI applications.