This page summarises how Stratta protects your access and your norms. For account-level controls, see Manage API keys.Documentation Index
Fetch the complete documentation index at: https://docs.stratta.ch/llms.txt
Use this file to discover all available pages before exploring further.
API keys
- Keys look like
sk_strt_…and are created on stratta.ch/api-keys. - The full key is shown once; only a prefix is stored for display. On the server the key is kept as a salted hash, never in plaintext.
- A key grants read and write access to your workspace (including ingest and delete), so it’s a secret — treat it like a password.
- Revocation is immediate. Limits: 50 active keys and 20 new keys per 24 hours, per user.
Organization isolation
Norms are scoped to your organization and isolation is enforced server-side:- Every MCP request is authenticated by your key.
- The server resolves the key to an organization and filters all reads and writes by it.
- The organization id is never a client-supplied parameter — it’s derived from the key, so a client can’t request another organization’s data.
What leaves your machine
- During queries, the MCP connector sends your API key and your tool arguments (e.g. a norm code and section path) to the Stratta backend, and receives the section content back.
- During ingestion, the connector uploads the norm content you extract (text, formulas, tables, figures) to your workspace. Only ingest norms you are licensed for.
Data residency
The Stratta backend (Convex) and the web platform (Vercel) run on infrastructure located in the United States, and transactional email is sent via Resend. Details and your rights are described in the Privacy policy.Transport
- The MCP connector talks to your Claude client locally over stdio.
- It talks to the backend over HTTPS to
*.convex.cloud. Outbound HTTPS must be allowed by your firewall/VPN (see Troubleshooting).
Related
Multi-tenant norms
Why isolation exists and how it’s enforced.
Legal
Entity, privacy, and terms.