security

Security posture.

How Haunt protects keys, request data, infrastructure, and honest failure boundaries.

Last updated: 3 June 2026.

Try demoGet free keyDocs

Trust route

Legal and privacy questions go to support@hauntapi.com. Security reports go there too.

These pages are plain-English operating terms, not a badge saying a lawyer has blessed every comma.

Security posture

Haunt is built around cautious extraction: hashed API keys, password hashing, HTTPS, request IDs, rate limits, redaction, encrypted or redacted request history where appropriate, and honest failure classes for blocked or login-only pages.

Credentials

  • Customer API keys are stored as hashes. Lost keys cannot be recovered, only regenerated.
  • Passwords are stored as password hashes, not plaintext.
  • Use X-API-Key or Authorization: Bearer. Do not put keys in URLs.
  • If you submit BYO headers or cookies, only send credentials you are authorised to use, and rotate them if they leak.

Request data handling

Haunt processes submitted URLs, prompts, fetched page content, and extraction output to return the requested JSON. By default, it does not retain fetched page content, customer prompts, or extracted results as scrape history.

Request metadata is used for support, debugging, abuse prevention, billing evidence, rate limits, and reliability. Sensitive fields are redacted or encrypted where appropriate. Haunt should not store raw API keys, full customer secrets, or raw credential headers in public logs.

Infrastructure controls

  • Public API traffic uses HTTPS.
  • Admin and billing webhook paths are not meant for public OpenAPI discovery.
  • Outbound extraction paths use SSRF controls and blocked-address protections.
  • Abuse and rate limits protect the API and third-party sites.
  • Production health checks avoid exposing secrets or customer payloads.

Responsible disclosure

Report security issues to support@hauntapi.com with enough detail to reproduce the problem. Do not access customer data, run destructive tests, spam the API, attack third-party sites through Haunt, or publish details before we have had a fair chance to fix the issue.

No bug bounty

Haunt does not currently run a paid bug bounty. Responsible reports are welcome. Demanding payment after unsolicited testing is not a bounty program, it is just cosplay with invoices.

Related trust pages

For data handling and vendor details, read privacy, the DPA, and the subprocessor list.