Scaling Security and Observability for Agentic Web API — May 11, 2026

Scaling the security and observability for the Agentic Web API took up most of today for me. After wrapping up an 11 hour day, I managed to ship 9 features and improvements along with 2 important fixes. It was most important to make improvements for the overall robustness and ability to resource it for the amount of users interacting with the platform.

One of the highlights of the day was cleaning up all the dependabot alerts. I updated nodemailer from version 6.10 to 8.0.7 and a couple others like postcss and axios. Besides the security implications, it was crucial for the stability of the app. Post this update, npm audit reports no vulnerabilities which was a big milestone to accomplish. It is rewarding to have this with the current focus on security for a future unicorn.

For things related to scalability, I added a durable BackgroundJob queue with a cron tick for scheduled knowledge re-indexing for portal embeds. Before this, the system was fire-and-forget, which meant that after a PM2 restart, some portals could be left orphaned in a 'running' state. Now, I have queuing and no portal can be left behind. I really believe this is an important improvement for reliability and uptime for when I envision users interacting with the platform more.

I migrated the meshPairingStore and paidLiveSessionStore to Upstash with an in-memory fallback. This means that even with a PM2 restart, active billing-session pricing rows remain which is important for the user experience and tracking revenue. The migration was quite the process. Besides having to document the async migration path for future scalability for cluster mode, I learned a lot about managing data stores in a distributed system which took longer than I anticipated.

For observability, I performed a major overhaul of the reportApiError functionality. All console.errors have been routed through a Sentry helper which means I can now track errors from 70 files and 80 endpoints in this batch. This is a huge amount of work, however, it means I can avoid a lot of time wasting guessing when tracking down errors in the future. I also migrated some of the major API endpoints including auth sessions and payment webhooks to this new error reporting system.

Some bugs on that day took longer than I'd like to admit to sort out. One such bug pertained to the case of the same-origin gate and per-IP rate limits regarding the ElevenLabs token. Some of the endpoints at the time were still allowing GET requests without any sort of limits placed upon them - which would have made the application very expensive to run. To prevent any one attacker from abusing them, I had to get rid of these dev-only endpoints. The fix also meant adding a daily per-portal LLM-cents limit on the embed AI path to further limit user’s exposure.

Overall I’m pleased by the work I’ve done but I’m also very much aware of the grind. I’m getting Claude Code to help me out in VS Code. It works pretty well since I’m not having to spend money on hiring devs but there are times when the AI can only go so far. There’s a fine line between using AI and having a real understanding of the system I’m building.

Working towards a one-man-show billion-dollar company, I’m building each feature and implementing each fix with that vision in mind. The road is long and difficult but every commit gets me closer to the type of web platform I want. I'm looking forward to seeing the user experience and security improvements these changes will bring. Also the growth that will follow.