If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Email the maintainer directly or use GitHub's private vulnerability reporting
- API tokens and access credentials should only be stored in environment variables
- Never commit
.envfiles or tokens to version control - The MCP server communicates with the verification API over HTTPS
- All sensitive data (ID card numbers, phone numbers, bank card numbers) is transmitted encrypted and not stored locally
- Face comparison images are processed in memory and not persisted
- Rotate your
DATA_VERIFY_ACCESS_TOKENperiodically - Use the minimum required permissions
- Monitor your API usage for unexpected patterns
- Do not log or store personally identifiable information (PII) in plain text