Security

Effective date: June 20, 2026

Codey is designed from the ground up with security as a core architectural principle — not an afterthought. Because Codey runs locally on your machine and connects to AI providers you control, the attack surface is fundamentally smaller than cloud-based alternatives.

Local-First Architecture

Unlike cloud-based AI coding tools, Codey does not send your code to our servers. Your source code, project files, and git history never leave your machine unless you explicitly send them to a third-party AI provider through a direct API connection.

Bring Your Own Key (BYOK)

Codey uses your own API keys to communicate directly with AI providers. This means:

Permission System

Codey operates a strict, configurable permission system that prevents unauthorized actions:

Permissions can be configured globally and per-project. Bash commands are analyzed for dangerous patterns before execution, and denial rules prevent agents from executing them even through shell scripts.

Filesystem Isolation

Codey enforces strict filesystem boundaries. Subagents and AI sessions are sandboxed to your active project worktree. They cannot access files outside your working directory unless you explicitly grant broader permissions.

Subagent Security

Codey's multi-agent architecture is designed with security isolation in mind:

MCP Server Security

Model Context Protocol (MCP) servers extend Codey's capabilities. Security considerations:

Data in Transit

When Codey communicates with external services, all connections use TLS encryption. Your Codey account sync also uses encrypted channels.

Account Security

For Codey Pro subscribers, account authentication uses secure token-based flows:

Reporting Vulnerabilities

If you discover a security vulnerability in Codey, please report it responsibly. We take all security reports seriously and will acknowledge receipt within 48 hours.

If you have questions, contact us at team@codeyai.space.