[{"data":1,"prerenderedAt":234},["ShallowReactive",2],{"\u002Ffeatures\u002Fsecurity":3},{"id":4,"title":5,"body":6,"description":218,"excerpt":219,"extension":223,"image":224,"meta":225,"navigation":226,"path":227,"seo":228,"stem":229,"tags":230,"__hash__":233},"features\u002Ffeatures\u002Fsecurity.md","Security",{"type":7,"value":8,"toc":201},"minimark",[9,13,18,23,26,29,33,36,55,59,62,66,69,72,76,79,112,116,119,122,126,129,155,158,162,165,168,172,192],[10,11,12],"p",{},"LamaTrader is designed around the principle that a trading platform has no tolerance for security shortcuts. Your brokerage credentials, your positions, and your financial data require protection that goes beyond standard web application practices. Every layer of the platform — authentication, credential storage, data transmission, and API access — is built with this in mind.",[14,15,17],"h2",{"id":16},"authentication","Authentication",[19,20,22],"h3",{"id":21},"alpaca-oauth","Alpaca OAuth",[10,24,25],{},"The recommended authentication path is Alpaca OAuth. LamaTrader never sees your Alpaca password. The authorization flow happens entirely on Alpaca's servers — you log in to Alpaca, grant LamaTrader's specific requested permissions, and an authorization token is returned. No credential is ever transmitted to or stored on LamaTrader's servers.",[10,27,28],{},"You can review and revoke LamaTrader's OAuth authorization at any time from your Alpaca account security settings. Revoking access immediately disconnects the platform.",[19,30,32],{"id":31},"platform-authentication","Platform Authentication",[10,34,35],{},"LamaTrader uses Better Auth for platform session management. Authentication supports:",[37,38,39,43,46,49,52],"ul",{},[40,41,42],"li",{},"Email and password with secure hashed credential storage",[40,44,45],{},"Social login providers (Google, GitHub) where configured",[40,47,48],{},"Session tokens with configurable expiry",[40,50,51],{},"Device approval for new login locations — unknown devices require explicit approval before access is granted",[40,53,54],{},"Concurrent session management — view and revoke all active sessions from account settings",[14,56,58],{"id":57},"encrypted-credential-storage","Encrypted Credential Storage",[10,60,61],{},"When you add brokerage accounts via API key and secret (for delegated or additional accounts), those credentials are stored encrypted at rest. The encryption key is derived from your account credentials — stored credentials cannot be decrypted without your active authenticated session.",[19,63,65],{"id":64},"client-side-encryption-mode","Client-Side Encryption Mode",[10,67,68],{},"For traders with strict data privacy requirements, LamaTrader supports a client-side encryption mode. In this mode, sensitive account data (API keys, personal preferences, watchlists) is encrypted in the browser before being sent to any server. The server stores only ciphertext it cannot read.",[10,70,71],{},"This mode ensures that even in the event of a server-side breach, your brokerage credentials remain protected. The trade-off is that data cannot be recovered if you lose your encryption passphrase — there is no server-side recovery path by design.",[14,73,75],{"id":74},"cloudflare-infrastructure","Cloudflare Infrastructure",[10,77,78],{},"LamaTrader's backend runs on Cloudflare's global edge network, which provides:",[37,80,81,88,94,100,106],{},[40,82,83,87],{},[84,85,86],"strong",{},"TLS encryption on all connections"," — all data in transit between your browser and LamaTrader's servers is encrypted via HTTPS. Unencrypted connections are rejected.",[40,89,90,93],{},[84,91,92],{},"DDoS protection"," — Cloudflare's network absorbs volumetric attacks before they reach the application layer, maintaining availability during market hours.",[40,95,96,99],{},[84,97,98],{},"WAF (Web Application Firewall)"," — automated filtering of malicious request patterns, SQL injection, XSS, and other OWASP Top 10 attack vectors.",[40,101,102,105],{},[84,103,104],{},"Bot protection"," — rate limiting and bot scoring on authentication endpoints to protect against credential stuffing attacks.",[40,107,108,111],{},[84,109,110],{},"Global edge deployment"," — requests are served from the data center closest to you, reducing latency and limiting data traversal across the public internet.",[14,113,115],{"id":114},"api-permission-boundaries","API Permission Boundaries",[10,117,118],{},"When a brokerage account is connected via API key, the permissions granted are scoped to what that key was created with on Alpaca's side. LamaTrader enforces an additional layer: it only requests the permissions it needs (trading and market data) and does not expose endpoints for operations outside that scope.",[10,120,121],{},"For delegated trading specifically: a trading API key does not grant withdrawal, banking, or account management capabilities. These functions require separate authentication on Alpaca's platform. A power trader operating on someone else's behalf through LamaTrader cannot withdraw funds or access sensitive account settings — by design, at the API level.",[14,123,125],{"id":124},"code-mode-sandbox-security","Code Mode Sandbox Security",[10,127,128],{},"AI Code Mode strategies execute inside a QuickJS sandbox — an isolated JavaScript runtime that enforces:",[37,130,131,137,143,149],{},[40,132,133,136],{},[84,134,135],{},"No filesystem access"," — strategies cannot read or write files on the host system",[40,138,139,142],{},[84,140,141],{},"No arbitrary network access"," — all HTTP calls are proxied through LamaTrader's API gateway; requests to external URLs are blocked",[40,144,145,148],{},[84,146,147],{},"Resource limits"," — CPU time and memory are capped to prevent runaway execution",[40,150,151,154],{},[84,152,153],{},"Audit logging"," — every strategy execution is logged with full input, output, and action records",[10,156,157],{},"You review and approve every strategy before it runs. The sandbox enforces technical boundaries after you do.",[14,159,161],{"id":160},"data-retention-and-privacy","Data Retention and Privacy",[10,163,164],{},"LamaTrader does not sell or share your trading data with third parties. Market data and position information displayed in the platform are sourced from Alpaca and used only to power the features you're actively using.",[10,166,167],{},"AI conversation content sent to third-party providers (OpenAI, Anthropic, Google Gemini, DeepSeek, Qwen) is governed by those providers' respective privacy policies. For traders who require that no data leaves their local environment, the Ollama integration runs AI models entirely on-device — no conversation content or position data is transmitted externally.",[14,169,171],{"id":170},"security-best-practices-for-users","Security Best Practices for Users",[37,173,174,177,180,183,186,189],{},[40,175,176],{},"Use a strong, unique password for your LamaTrader account",[40,178,179],{},"Enable device approval to prevent unauthorized logins from new locations",[40,181,182],{},"Use OAuth where possible — avoid storing API keys if OAuth covers your use case",[40,184,185],{},"For delegated accounts you manage, ensure the account holder creates a dedicated trading-only API key with minimum necessary permissions",[40,187,188],{},"Review your active sessions periodically and revoke any you don't recognize",[40,190,191],{},"Use the Ollama integration if you're not comfortable with your position data reaching third-party AI providers",[10,193,194,195,200],{},"Report security concerns to ",[196,197,199],"a",{"href":198},"mailto:info@optimaxsoftware.com","info@optimaxsoftware.com",".",{"title":202,"searchDepth":203,"depth":203,"links":204},"",2,[205,210,213,214,215,216,217],{"id":16,"depth":203,"text":17,"children":206},[207,209],{"id":21,"depth":208,"text":22},3,{"id":31,"depth":208,"text":32},{"id":57,"depth":203,"text":58,"children":211},[212],{"id":64,"depth":208,"text":65},{"id":74,"depth":203,"text":75},{"id":114,"depth":203,"text":115},{"id":124,"depth":203,"text":125},{"id":160,"depth":203,"text":161},{"id":170,"depth":203,"text":171},"LamaTrader is built with security as a foundational requirement — OAuth authentication, encrypted credential storage, Cloudflare's global edge network, client-side encryption options, and strict API permission boundaries for delegated accounts.",{"type":7,"value":220},[221],[10,222,12],{},"md","\u002Ffeatures\u002Fsecurity.webp",{},true,"\u002Ffeatures\u002Fsecurity",{"title":5,"description":218},"features\u002Fsecurity",[231,232],"security","features","RVg7j0VMsLnbZ7ZB-zPv1hbWkCW1ooR5oF1bt_rBV9I",1779306078457]