API keys are stored as SHA-256 hashes for lookup. The plaintext value is encrypted at rest and can be revealed once in the account UI. After reveal, the encrypted material is removed.

The gateway rejects invalid requests early and returns explicit error codes for missing keys, rate limits, monthly limits, and malformed inputs.

Every decision includes a decision field (allow/block), a reason code, policy bundle identifiers, and a request ID. These fields support incident reviews and compliance evidence.

Firestore rules prevent client-side writes and keep API key material server-only. Stripe provisioning updates subscription status and key state through server webhooks.