Skip to content

Security: san64777/laughtrack

Security

SECURITY.md

Security

laughtrack runs entirely in your browser. You bring your own Gemini API key; it is stored in localStorage and sent directly to Google over the Live API WebSocket. There is no laughtrack backend, and your key never reaches any server of ours.

A raw API key used client-side can be read out of the browser, which is an accepted tradeoff for a bring-your-own-key toy (you only ever spend your own quota). For production, Google recommends minting short-lived ephemeral tokens from a small backend; that is the documented upgrade path.

If you find a security issue, please report it privately through GitHub's "Report a vulnerability" (Security advisories) instead of opening a public issue.

There aren't any published security advisories