# Security

Agents may help users discover plans, start signup, authorize access, create Checkout Sessions, read status, and explicitly reveal an API key.

Agents must not:

- collect or store SiteShot passwords.
- collect or store payment card details.
- claim that payment is complete before Stripe confirms it.
- call billing actions without the `billing:checkout` scope.
- reveal the screenshot API key without the `api_key:read` scope and explicit `reveal_api_key` action.

Read-only status calls never include the full screenshot API key.