Security
API key management
Storage
- Never commit API keys to version control. Add
.mcp.jsonand any config files containing keys to your.gitignore. - Store keys in environment variables or a secrets manager (e.g., 1Password, Doppler, AWS Secrets Manager).
- Use separate keys for development, staging, and production. Each key has independent balance and usage tracking.
Rotation
If a key is compromised:
- Create a new key in the Developer Portal (opens in a new tab)
- Update your environment variables / config
- Revoke the old key
Keys can be created, toggled (enabled/disabled), and revoked from the Developer Portal or via the key management API.
Least privilege
- Create purpose-specific keys: one for your agent, one for your dashboard, one for CI/CD
- Monitor usage per key via
GET /v1/statusor the Developer Portal usage dashboard - Disable keys you're not actively using
Spend controls
Daily spend cap
Every API key has a daily spend cap (default: $50/day). If your key hits the cap, the API returns 429:
{
"error": "Daily spend cap reached",
"daily_spent_cents": 5000,
"daily_cap_cents": 5000,
"resets_at": "2026-03-12T00:00:00.000Z"
}This prevents runaway agent loops from draining your balance. The cap resets at midnight UTC.
Balance visibility
Every charged response includes your remaining balance:
{
"cost_cents": 10,
"balance_cents": 490
}Use GET /v1/status (free) to check balance and daily spend at any time.
MCP server security
Local stdio transport (current)
The Frontrun MCP server runs as a local subprocess via stdio transport. This means:
- No network ports are opened
- No external attack surface
- The API key stays in your local environment
- Communication happens over stdin/stdout between your MCP client (Claude Desktop, Claude Code, Cursor) and the server process
This is the recommended MCP transport for individual developer use.
Key handling for MCP
Configure your API key via environment variable, not hardcoded in config:
{
"frontrun": {
"command": "npx",
"args": ["frontrun-mcp-server"],
"env": {
"FRONTRUN_API_KEY": "your_key_here"
}
}
}For Claude Desktop on macOS, the config file is at:
~/Library/Application Support/Claude/claude_desktop_config.json
Ensure this file is not synced to cloud storage or version control.
Treating MCP tool outputs
When using Frontrun through MCP in AI workflows:
- Graph data (follows, convergence, trending) is deterministic and can be trusted as factual
- Classifications (sector, entity_type, tags) are AI-generated and probabilistic — verify high-stakes decisions against primary sources
- All data originates from public social graph information — no private or privileged data is accessed
Rate limits & abuse prevention
| Protection | Limit |
|---|---|
| Per-minute rate limit | 60 requests/min (varies by tier) |
| Daily spend cap | $50/day (default) |
| API key required | All endpoints except docs |
| Key revocation | Instant via Developer Portal |
Rate limit tiers
| Tier | Requests/min | Requests/day |
|---|---|---|
| Free | 10 | 100 |
| Starter | 30 | 1,000 |
| Pro | 60 | 5,000 |
Infrastructure
- API traffic is proxied through
frontrun.vc/v1— your requests never hit infrastructure URLs directly - All API communication is over HTTPS (TLS 1.2+)
- API keys are stored hashed in the database — only the last 8 characters are visible in the Developer Portal
- Usage is logged per-key for billing and audit purposes
- No request bodies or response data are logged — only metadata (endpoint, cost, status code, timestamp)