DealerMAX Developers
Security
Security posture for the public developer surface: read-only data plane, scoped API keys, backend-only integration guidance, and coordinated vulnerability disclosure.
API key handling
- Keys are generated inside DealerMAX and shown once.
- Server-side storage keeps only a SHA-256 hash of a high-entropy token.
- No salt or pepper is claimed for dealer API keys; entropy comes from the random token.
- Regeneration invalidates the previous key.
- Never place a key in browser JavaScript, mobile app bundles, screenshots, or public repos.
Platform boundaries
- DealerMAX app creates and rotates keys through the Control Plane.
- apimax serves only read-only dealer data and validates keys from the shared DB.
- developers.dealermax.app documents contracts and never accepts dealer secrets.
Reporting
Report vulnerabilities to security@dealermax.app. Include the affected host, reproduction steps, and impact. Do not include plaintext API keys, and do not open public GitHub issues for security findings. RFC 9116: https://developers.dealermax.app/.well-known/security.txt.
Machine-readable trust links
| APIs index | /.well-known/apis.json |
|---|---|
| Subprocessors | /.well-known/subprocessors.json |
| Security advisories | /.well-known/security-advisories.atom |