Security

Atlas requires a production session secret and restricts production CORS origins.

The Meta app has completed review for the permissions used by Atlas, and Meta OAuth state is verified before token exchange.

Google Drive browsing and Meta launch operations are performed through server routes rather than exposing write operations as public unauthenticated endpoints.

Production launch history is stored in Firestore without raw tokens, cookies, passwords, or uploaded file bytes.

Workspace, role, and billing controls are scoped to authorized company workspaces managed through RocketShip HQ onboarding.