Deploylet documentation

Deployment and token safety

Understand the current safeguards around deployment uploads, endpoint selection, scoped tokens, and private file access.

Deployment safeguards

Before storing assets, the Worker validates deployment file paths, byte counts, SHA-256 digests, total upload size, file count, and declared content types. The CLI skips common secret files and source maps by default.

Scoped runtime access

Runtime tokens carry a class, scopes, allowed spaces and environments, optional allowed origins, expiry, and revocation metadata. Only token hashes are stored; token plaintext is returned only at creation time.

Private files

File uploads are private by default and require a service token. The current JSON/base64 upload transport caps a file at 2 MiB; larger-file workflows are not yet part of the public runtime.

Security reporting

For a security concern or private-beta question, contact hello@deploylet.com.