Last updated June 2, 2026
Ejector sits in a sensitive spot: it reads your code and, for managed-proxy users, holds the sessions that let agents act as your app — and, with Customer Connect, the sessions of each of your end-customers too. We designed the system so that even we can't casually read those secrets, and so a leaked API key can never unlock anyone else's. This page is the honest, technical account of how.
The system is split so that each part has the least access it needs to do its job:
Agents only ever talk to the public proxy at ejector.dev. The worker and database are internal and aren't exposed to them.
Server-side credentials you add for the managed proxy are the most sensitive data we hold, and they get the strongest handling:
Your Ejector API keys are shown once, at creation, and then stored only as a hash — we can't recover the original. When an agent presents a key, the proxy resolves the right credentials through a hardened database routine keyed on that hash. The practical effect: a key can only ever unlock the credentials that belong to it, and a leaked key can never reach another customer's data. Underneath, row-level securityenforces that every query is scoped to its owner — isolation isn't left to application code.
We don't keep it. When you connect a repo, the worker pulls a temporary snapshot, runs the analysis, and deletes the snapshot — we retain only the generated spec. There's no long-lived checkout of your code on our infrastructure. Private repos are read with a scoped, encrypted token you can revoke at any time.
Exposing a live app to agents is gated behind domain-ownership verification: you prove control of the domain via a DNS TXT record or a well-known file. This gate applies to network capture, registering a live app URL, and — most importantly — Customer Connect. It's a deliberate guardrail: it stops anyone from pointing Ejector at an app they don't control to harvest its users' logins.
With Customer Connect, each of your end-customers signs in (or signs up) with their own app login on a page you embed. We handle that the same careful way as your own session:
If you capture an authenticated app by supplying a login, those credentials are used in memory only, for that one capture run, to drive the headless browser. They're never written to disk or stored in our database.
We build on reputable managed providers that maintain their own security programs and certifications, and we keep our own footprint minimal: the analysis worker is secret-gated and not publicly callable for analysis, internal service keys are scoped, and each component holds only the access it needs. Optional AI features — endpoint summaries during analysis and the page-read tool — send only the relevant text to an AI provider to generate the result; no stored secrets or credentials are ever sent.
We welcome reports from security researchers. If you believe you've found a vulnerability, email contact@ejector.devwith steps to reproduce. Please give us a reasonable window to fix it before disclosing, and avoid accessing other users' data or degrading the service while testing — we won't pursue good-faith research that respects those bounds.