Security Model
Security by architecture, not settings. TiefWise makes it structurally impossible to leak secrets by accident.
Most API clients ask you to be careful. TiefWise makes it structurally impossible to leak secrets by accident.
Every other API client treats security as a feature you enable. In TiefWise, security is built into the execution pipeline — it's not something you toggle on, it's how the software works. Credentials are scanned, exports are validated, and unsafe targets are blocked before anything leaves your machine.
SecretGuard
Two-tier secret protection that prevents credential leakage at export time.
SOFT Boundary
Detection + warning. You see exactly what's detected and decide whether to proceed.
- ● Scans exports for sensitive patterns
- ● Lists every detected secret with location
- ● You can proceed — but you know exactly what you're sharing
Use case: sharing with a trusted teammate
HARD Boundary
Automatic redaction. Secrets are removed from the export entirely.
- ● Secrets automatically redacted from export
- ● Cannot be bypassed without explicit action
- ● Redaction is irreversible in the exported file
Use case: sharing with external contractors, public repos
SecretGuard detects: Bearer tokens, Basic auth credentials, API keys, AWS access keys, JWTs, OAuth tokens, private keys, and custom patterns you define.
SSRF Protection
Server-Side Request Forgery (SSRF) tricks an application into making requests to unintended internal resources. TiefWise validates targets at plan generation time and across the entire redirect chain.
How TiefWise protects you
Blocked targets
127.0.0.1 localhost 10.0.0.0/8 private class A 172.16.0.0/12 private class B 192.168.0.0/16 private class C 169.254.0.0/16 link-local / cloud metadata SSRF protection applies to the entire redirect chain, not just the initial URL. A redirect from a public URL to an internal IP is blocked.
Redaction Behavior
What gets protected depends on the context. Local data stays intact. Exports are scrubbed.
| Context | Auth Headers | Bearer Tokens | Env Variables | Body |
|---|---|---|---|---|
| Export (JSON) | Redacted | Redacted | Redacted | Preserved |
| Share | Redacted | Redacted | Redacted | Preserved |
| cURL Export | Redacted | Redacted | N/A | Preserved |
| Local History | Preserved | Preserved | Preserved | Preserved |
Local history keeps everything intact — it never leaves your machine. Anything that could leave your machine gets scrubbed first.
Export Safety Guarantees
Every export goes through a safety pipeline. No exceptions.
Secret scan runs automatically on every export
You don't have to remember to run it. It's always on.
Warnings cannot be silently dismissed
You must acknowledge each detected secret before proceeding.
HARD boundary redaction is irreversible
Once secrets are redacted from an export, they cannot be recovered from that file.
Exported files are safe to commit to git
Collections can live alongside your code with confidence.
Local-First Architecture
TiefWise runs entirely on your machine. There is no cloud component.
All collections, environments, history, and settings are stored on your local filesystem. The only network calls TiefWise makes are the API requests you explicitly send. For enterprise security documentation, see the Enterprise Security page.
Every other API client lets you toggle security on or off.
In TiefWise, security isn't a setting. It's how the software works.