x3s.host Docs

Security

How x3s.host protects your agents and what you can do to stay secure.

How access works

Every agent is accessible only through authenticated sessions. Your Public URL requires credentials — nothing is open by default.

Secrets you add are encrypted at rest and never exposed in plaintext after saving. The dashboard and API use standard session-based authentication with secure cookies.

Your responsibilities

A few habits that go a long way:

  • Keep your credentials private. Your account password and agent tokens give full control over your agents.
  • Rotate tokens when needed. If you think a credential has been exposed, delete it and create a new one from the Secrets tab.
  • Remove agents you no longer use. An idle agent with secrets attached is an unnecessary risk.
  • Review agent status regularly. An unexpected DEGRADED or STOPPED status can indicate something worth looking into.

Tailscale access

When Tailscale is connected, your agent gets a private IP accessible only to members of your Tailscale network. This is a good option when you want shell access without relying on your Public URL credentials.

Your Tailscale auth key (if saved in account settings) is treated as a secret — encrypted, never shown again after saving.

Account security

  • Use a strong password for your x3s.host account
  • Sign in with GitHub or Google if you prefer OAuth — this means your account security is tied to that provider
  • Contact support if you lose access or suspect unauthorised activity

Data & Backups

What gets saved, what to expect across restarts, and how to protect your agent's data.

How x3s Works

A plain-language overview of the x3s.host platform.

On this page

How access worksYour responsibilitiesTailscale accessAccount security