Acceptable Use Policy

• Generating SDKs, documentation, and MCP servers for APIs you own, operate, or are explicitly authorized to integrate against.
• Inspecting generated artifacts for security and behavioral review before deploying them in production.
• Using the MCP safety classification to inform which tools should be enabled in agent-facing runtimes.
• Reporting suspected platform abuse or security issues via the channels listed in the Security Policy.

• Do not upload OpenAPI documents, examples, schemas, or vendor extensions that contain malware, credential-theft mechanisms, or instructions designed to compromise systems.
• Do not embed live secrets (API keys, OAuth client secrets, database credentials, JWTs, signing keys) in uploaded specs. Treat any spec that contained a secret as compromised and rotate it.
• Do not upload content that infringes intellectual-property rights, defames a person or entity, or violates an applicable export-control or sanctions regime.
• Do not upload personal data of third parties beyond what is reasonably required to document the API contract.

• Do not use Ajolla’s URL ingestion feature to probe private or internal networks, cloud-metadata endpoints, or any host you are not authorized to access.
• Do not attempt to bypass rate limits, workspace boundaries, or row-level security. Do not attempt to access another tenant’s projects, specs, or generated artifacts.
• Do not use generated SDKs or MCP servers to perform unauthorized automated access, scraping, or denial-of-service attacks against third-party systems.
• Do not use the Service to package or distribute interfaces designed for harassment, fraud, spam, or non-consensual surveillance.

• Apply human review before exposing destructive or administrative MCP tools to unsupervised agent execution.
• Use least-privilege credentials and environment separation when wiring a generated MCP server to a production-grade agent or to internal systems.
• Treat MCP tools classified as `destructive` or `admin` as requiring an explicit allowlist; do not enable them by default.
• Log tool invocations in the host runtime so that agent actions remain auditable.

• Uploading a specification scraped from a vendor without authorization and using the resulting SDK to circumvent their API terms.
• Configuring a generated MCP server to act on behalf of an end-user without surfacing destructive actions for explicit confirmation.
• Using URL ingestion to reach AWS / GCP instance metadata endpoints or other internal addresses (this is blocked by design — attempts to bypass the protection are themselves a violation).
• Sharing a workspace session cookie or magic link with other people to bypass our rate limits or per-account safeguards.

If you believe another workspace, or a generated artifact that originated on the platform, is being used in violation of this policy, contact abuse@ajolla.dev with enough detail to reproduce or investigate the issue. We acknowledge reports within five business days.

• Depending on the severity of the violation, we may warn the workspace owner, throttle specific features, suspend access, or terminate the account.
• We may retain audit-trail records, server logs, and uploaded content needed to investigate suspected abuse or to comply with legal process.
• We will provide a written explanation of any account-level enforcement action and an opportunity to respond, except where prompt action is required to protect the platform or other users.

We may revise this policy as new abuse patterns emerge. Material changes will be announced in-product or by email before they take effect. The “Last updated” date at the top of the page reflects the most recent revision.