Found a security issue in any RoxyAPI repo or in the API itself? Do not open a public issue. Use the contact form at https://roxyapi.com/contact and select the security category.

We acknowledge reports within 48 hours and target a fix within 7 days for critical issues.

In scope:

• The API at https://roxyapi.com/api/v2/* and https://roxyapi.com/mcp/*
• Official SDKs (TypeScript, Python, WordPress)
• Repos under https://github.com/RoxyAPI/

Out of scope:

• Vulnerabilities in third-party dependencies that already have a published advisory
• Rate-limit bypass using valid paid API keys (rate limits are commercial limits, not security boundaries)
• Self-XSS or social-engineering scenarios

Researchers who report valid issues responsibly are credited in our security log if they choose to be named.