Skip to content

Security

The short version: passwordless auth, org-scoped everything, attributed writes, revocable links.

Authentication

  • Passwordless only: Google, GitHub (verified-email policy), magic links, passkeys (WebAuthn). There is no password to phish, reuse, or leak.
  • Two-factor: TOTP, enforced for Admin/Owner roles; recovery codes provided.
  • Sessions: httpOnly cookies (JWT, 30-day rolling expiry); revoking a session invalidates it immediately. API keys are scoped and revocable.

Isolation

  • Every read and write is scoped to one organization at the service layer — not in the client, not by convention. Objects outside your org return 404, never leaking existence.
  • Snippets are private or team. A public link exposes exactly one snippet read-only; rotating or deleting makes the old link 404 immediately.

Attribution & audit

  • Every mutation writes an audit event in the same transaction: actor, door (ui · cli · mcp · http), agent attribution (via Claude), verb, object, timestamp.
  • Gated moves are human-only; agent attempts are rejected and recorded.

Data handling

  • Logs never contain email addresses, snippet bodies, or tokens.
  • Webhooks/integrations (GitHub, Slack) use per-integration credentials with the minimum scopes; sign-in OAuth and integration OAuth are separate clients.

Reporting

Found something? Open a security advisory on the repository or use the contact on the console's settings page — we acknowledge within 48 hours during the beta.

One vocabulary, every door.