Security

How Pearl handles your code, prompts, and credentials.

Authentication

Pearl uses OAuth2 + PKCE against auth.pearlfibers.com. Tokens are RS256-signed and rotated on refresh; refresh tokens are family-tracked to detect replay.

AI gateway

Provider API keys live in 0400-mode files outside the database, owned by the gateway service account.

Zero-retention mode (Available on Pro, default-on for Enterprise) skips local request-body persistence and instructs providers not to store the request.

BYO keys

User-supplied provider keys are encrypted at rest with libsodium's crypto_secretbox using a master key kept outside the database.

Disclosures

Email security@pearlfibers.com to report vulnerabilities. We acknowledge within one business day.

Last updated: 2026-05-08. Questions? Email legal@pearlfibers.com.