Security
Security practices
Last updated: June 2026
AgentMetrics is self-hosted open-source software. Your agent data stays on your infrastructure. This page covers how the server handles API keys and data, and how to report a vulnerability.
Data in transit
All communication between the SDK, the API server, and the dashboard should run over TLS in production deployments. When you deploy AgentMetrics behind a reverse proxy (Nginx, Caddy, Traefik), configure TLS there. The SDK accepts any HTTPS endpoint as AGENTMETRICS_URL.
Data at rest
AgentMetrics stores metrics in SQLite by default. For production use, connect a PostgreSQL database via the DB_URL environment variable and enable encryption at the database or volume level using your infrastructure provider's tooling.
API key handling
AgentMetrics API keys are hashed using HMAC-SHA256 before being stored. The server never stores your key in plaintext. If you lose your API key, it cannot be recovered — rotate it from the Settings page, which immediately invalidates the old key.
Store your API key in environment variables, not in source code. Keys committed to repositories should be rotated immediately.
Access controls
The dashboard is protected by the API key you generate during setup. For team deployments, put the server behind a VPN or firewall so only your team's machines can reach it. The API and dashboard do not expose public endpoints by default.
Dependency security
The server and SDKs are open source. You can audit every dependency by reviewing the pyproject.toml and package.json files in the repository. We pin dependencies and run automated dependency scanning on the main branch.
Vulnerability disclosure
If you discover a security vulnerability in AgentMetrics, please disclose it responsibly:
- Email hi@agentmetrics.dev with subject line "Security vulnerability"
- Include a description of the issue, steps to reproduce, and the potential impact
- Do not publicly disclose the vulnerability before we have had a chance to investigate and release a fix
We will acknowledge your report within 48 hours and provide a resolution timeline. We will credit researchers in our changelog where appropriate and with permission.
Contact
For security questions or vulnerability reports, email hi@agentmetrics.dev.