Skip to content

Security Considerations

Important security information for using Tollbooth.

Research Tool, Not Production Software

Tollbooth has been vibecoded for frontier AI research. It does not provide guarantees of secure design and is not intended for production use.

CA Certificate Scope

The CA certificate generated by ./setup-certs.sh is used only within the agent container. It is not installed system-wide on your host machine.

When you run the agent container:

  • The certificate is mounted read-only at /certs/mitmproxy-ca-cert.pem
  • Environment variables configure applications inside the container to trust it
  • Applications outside the container are unaffected

If you follow the Manual Agent Setup instructions to configure agents outside the container, you're explicitly choosing to trust the certificate for those specific applications.

Sensitive Data Written to Disk

API Keys and Secrets Are Persisted

All traffic flowing through the proxy—including API keys, tokens, and sensitive content—is written to disk in the tollbooth-data/ directory.

When traffic persistence is enabled (the default), every request and response is saved to:

tollbooth-data/traffic/<flow_id>.json

This includes:

  • API keys in request headers (x-api-key, Authorization: Bearer)
  • Request bodies containing prompts and user data
  • Response bodies containing model outputs
  • Any other sensitive data in the traffic

This data could become accessible to others if:

  • The tollbooth-data/ directory has permissive file permissions
  • The directory is backed up to cloud storage
  • The machine is shared with other users
  • The directory is accidentally committed to version control

Mitigations

To reduce risk:

# Disable traffic persistence entirely
environment:
  - TOLLBOOTH_PERSIST_TRAFFIC=false

Or clear traffic regularly through the UI.

Plaintext Settings Storage

API keys entered in the Settings UI are stored in plaintext:

tollbooth-data/config/settings.json

Safer alternative: Pass API keys via environment variables:

export ANTHROPIC_API_KEY=sk-ant-...
export OPENAI_API_KEY=sk-...
docker compose run --rm agent

Environment variables are passed to the agent container but not written to disk.

No Security Guarantees

This software:

  • Has not undergone security review
  • May contain vulnerabilities
  • Is designed for research and development use
  • Should not be used with production data or systems

Recommendations

  1. Research use only - Don't use with production systems or real user data
  2. Secure the data directory - Restrict access to tollbooth-data/
  3. Use env vars for API keys - Avoid storing keys in settings.json
  4. Disable persistence if needed - Set TOLLBOOTH_PERSIST_TRAFFIC=false
  5. Clear traffic regularly - Don't accumulate sensitive data
  6. Don't expose to network - Keep services bound to localhost