Security Notes

No backend API call is made until the user provides the access token issued by the backendsecret.pyservice. The token is sent asAuthorization: Bearer <token>and is not included in exports.

The prototype keeps provider API keys in browser memory only. They are masked in the UI, never logged to the console, and excluded from exports. For production, route keys through your backend instead of accepting them in the browser.

The “Connect Microsoft” option in the credential modal uses MSAL.js with the OAuth 2.0 Authorization Code Flow with PKCE. The Microsoft access token is held in this tab's memory only — MSAL is configured withcacheLocation: "memoryStorage"— and we never request theoffline_accessscope, so no refresh token is minted.

The token is sent in-flight to two Edge Functions (azure-discoverandcredentials-savewithsource=ms-oauth). Those functions use it once to call Azure Resource Manager and never persist it. After credential setup the runtime path is identical to the manual flow — only the API key stored in Supabase Vault is used.

Anything stored in localStorage is readable by other scripts running on the same origin. Nootely does not store API keys or access tokens in localStorage by default — keep it that way.

For production, deploy a thin backend that holds provider keys server-side, brokers the realtime connection, and accepts only the access token from the browser. This avoids exposing long-lived secrets to client devices.

The browser microphone API only works on secure origins. Always serve Nootely over HTTPS in production. Any backend it talks to should also use HTTPS.

Audio and transcripts are processed by the providers you configure. Review the data residency and retention policies of OpenAI or Microsoft Azure before enabling production use.

Real conversations often contain personal or confidential information. Treat transcripts and summaries as sensitive by default, even when stored locally.

• Serve the frontend over HTTPS with a strict Content-Security-Policy.
• Move provider keys behind a backend; the browser only ever sees the access token.
• Rotate the access token regularly and on suspected compromise.
• Log API errors server-side, not in the browser.
• Set sensible request timeouts and rate limits on your backend.

Please report security issues privately to the project maintainer before disclosing publicly.