Security
Last updated July 2026
Mirae is designed around limited access, server-side secrets, per-user isolation, and clear failure states. Security also depends on your account practices and the third-party services you authorize.
Least-privilege access
Mirae requests access needed to read Merchant Center status and provide recovery guidance. You review the requested access before connecting and may revoke access through Google or Mirae.
No Google password sharing
Mirae does not ask for your Google password. Connection happens through Google OAuth so you can authorize access directly with Google.
Server-side secrets
Service credentials, authorization tokens, and webhook secrets are kept in server environments and are not intentionally embedded in client code or sent to the browser.
Per-user and merchant isolation
Requests are authenticated and scoped to the signed-in user and connected merchant account. The server is responsible for verifying session and ownership before account-specific reads or writes.
Verified billing events
Stripe webhook events are verified by signature before they are trusted. Unverified or tampered events are rejected.
Fail closed
If a dependency is unavailable, misconfigured, or cannot provide trustworthy data, Mirae should pause, show a clear state, and avoid fabricating approval, serving, recovery, or scan results.
No absolute guarantee
We use reasonable safeguards, but no internet-connected service is completely secure. If you believe you found a vulnerability or data issue, contact support promptly.
