Abuse Policy

Last updated: June 10, 2026

Crumb distributes access to AI APIs, so we take abuse seriously. This page explains what counts as abuse, how to report it, and what we do about it.

What counts as abuse

• Using Crumb keys for unlawful activity or to violate OpenAI's usage policies.
• Phishing or spamming people with key invitations or reveal links.
• Selling or trading Crumb keys, or operating credit/resale schemes on top of them.
• Attempting to bypass limits, access other workspaces, extract provider credentials, or otherwise attack the service.
• Connecting provider credentials you are not authorized to use.

How to report

Email abuse@getcrumb.dev. Include whatever you have: the key prefix (the visible ck_... start of a key), an email you received, timestamps, or a description of the behavior. If you are a workspace owner, the per-key usage dashboards and the key's public prefix help us correlate quickly. We aim to acknowledge reports within 2 business days, faster for active incidents.

What we do

• Keys, recipients, pools, and entire workspaces can be suspended or revoked immediately — including a workspace-level kill switch for credential abuse.
• For security analysis we keep salted one-way hashes of requesting IP addresses and user agents; suspicious patterns surface as warnings to workspace owners without exposing raw telemetry.
• Suspended recipients see a neutral “contact the workspace owner” message.
• Where abuse affects an upstream provider, we may notify and cooperate with that provider.

If your key was leaked

Sign in, open My keys, and rotate the key — the old secret stops working immediately. Workspace owners can also rotate or revoke any key from the pool dashboard.