Admin-gated operations
Admin dashboard routes are server-gated and backend admin APIs require authenticated administrator access.
Security
Security controls for a commercial AI developer platform.
DevCoreAI separates public release discovery, authenticated dashboard operations, and admin-only controls so production responsibilities stay clear.
Token-safe proxying
Client admin pages call Next.js proxy routes, which attach httpOnly tokens server-side instead of exposing them in browser code.
Release webhook protection
Release metadata ingestion requires a bearer webhook token shared only by CI and the API.
Cost controls
Model catalog settings include per-request, per-day, and emergency kill-switch controls.
Operational visibility
Usage history, billing state, plan distribution, and release records are available for support and audit workflows.
Responsible launch
Before production rollout, configure strong secrets, production CORS origins, database migrations, and payment provider webhooks.