Security

Built for transparent deployment.

OpenConvo keeps the architecture intentionally simple: browser-local data, server-side provider calls, free-only routing, and clear separation between hosted shared usage and user-owned keys.

Free-only routing

The app lists OpenRouter models with :free ids and sends zero max-price provider options on chat requests.

Hosted limits

Hosted free chat and hosted search use daily shared quotas. The built-in limiters are in-memory and best for early launches; production-scale deployments should add persistent edge rate limiting.

Key handling

Never commit .env.local. Revoke provider keys immediately if they are exposed. User-entered keys stay in local browser storage and are excluded from exports.

Report security concerns through the maintainer contact listed in the repository. Avoid public issues for exploit details. Source code is available on GitHub.