Task Puffins

Create a mission

Trust

Security at Sendapuffin

The service combines short-lived mission links with user-scoped OAuth tools and an explicit browser confirmation before every connected-provider write.

Controls

  • Verified authentication is required to create missions.
  • ChatGPT and Claude connect through OAuth 2.1 with PKCE and user consent.
  • Capability and approval tokens are randomly generated and stored only as cryptographic hashes.
  • Provider credentials are encrypted before storage.
  • OAuth client tokens are read-only for mission records.
  • Google Calendar writes require a separate short-lived Sendapuffin approval.
  • Creators can revoke or permanently delete missions and disconnect providers.
  • Mission manifests are not cached or indexed.
  • Database row-level security isolates creator dashboards.
  • Remote source fetching is restricted to administrator-approved hosts with network and response limits.

What users should do

Treat every mission URL like a temporary password. Share it only with the intended recipient, avoid sensitive data, and revoke it if it reaches the wrong person.

Report a vulnerability

A public security-reporting inbox is being provisioned. Private-beta participants should use the contact channel in their invitation. Please do not access other users’ data or disrupt the service while testing.