Downcity
Downcity City DocsUnderstand Downcity City

Trust Boundary

What can live in the client and what must stay in City or another trusted service.

The Downcity security model depends on a clear trust boundary.

Safe to keep in the client

  • UserClient
  • base_url
  • user_token
  • model IDs
  • user input such as prompt, messages, size, and voice

Must stay in a trusted environment

  • provider API keys
  • DOWNCITY_CITY_ADMIN_SECRET_KEY
  • Runtime env management permissions
  • token issuance logic
  • plans, balances, billing, and risk-control decisions

City's boundary

City validates user_token, reads Runtime env, and calls the real model through service handlers. The client does not need to know the provider key, and it does not need to know how your internal billing works.

the client can know: which model to call
the client should not know: which provider key powers that model

This boundary allows pure-client studios to connect directly to City without exposing sensitive configuration.

Token Model

How `admin_secret_key` and `user_token` work together.

Usage and Billing

How to attach usage records, plans, balances, and billing to hooks.

Table of Contents

Safe to keep in the clientMust stay in a trusted environmentCity's boundary