Dispatch
Dispatch

Security

Last updated: March 1, 2026

Security is core to what Dispatch does. Every webhook event passing through our platform is protected at every layer — from ingress verification to encrypted storage to authenticated delivery.

Webhook Signature Verification

Incoming webhook requests are verified using HMAC-SHA256 signatures. Dispatch supports both the GitHub-style X-Hub-Signature-256 header and our native X-Dispatch-Signature header. Each endpoint has a unique signing secret; events that fail verification are rejected before being stored.

Encryption at Rest

Sensitive values — Discord webhook URLs, bot tokens, and OAuth access tokens — are encrypted using AES-256-GCM before being written to the database. Encryption keys are managed separately from the data store and are never logged.

Encryption in Transit

All communication between clients and the Dispatch API is encrypted via TLS 1.2 or higher. Webhook deliveries to your Discord destinations are also made over HTTPS.

Authentication

User authentication is handled via Supabase Auth, which issues short-lived JWTs verified by the API using JWKS. API keys use a dsp_ prefix and are stored as SHA-256 hashes — the plaintext key is never persisted.

Access Controls

Dispatch enforces role-based access control within organizations (owner, admin, developer, viewer). Row-Level Security policies in the database ensure users can only access data belonging to organizations they are members of. Private projects further restrict visibility to explicitly granted members.

Infrastructure

Our platform runs on SOC 2 compliant cloud infrastructure. Database access is restricted to the application layer and is not publicly exposed. We use separate credentials for service-level operations that bypass Row-Level Security, scoped to the minimum permissions required.

Responsible Disclosure

If you believe you have found a security vulnerability in Dispatch, please report it responsibly by emailing contact us. Please do not disclose the issue publicly until we have had a reasonable opportunity to address it. We aim to respond to all security reports within 48 hours.

Questions

For general security questions, contact us at contact us. For privacy-related concerns, see our Privacy Policy.