Security
Security in plain English.
What we encrypt, what we never store, and what we will do if something breaks.
Architecture controls.
- Per-tenant signing keys via AWS KMS (when enabled)
Each project mints its own signing key envelope. On Enterprise, BYO-KMS lets you hold the master key in your own AWS account so we cannot decrypt your data without a customer-controlled grant.
- Postgres encryption at rest
Customer data lives in managed Postgres with full-disk encryption. Tenant scoping is enforced in the application layer on every query against a project_id column; row-level security policies are on the roadmap.
- ChaCha20-Poly1305 envelope encryption for sensitive config
Webhook signing secrets, audit-stream credentials, SSO provider client secrets, and SCIM bearer tokens are sealed with ChaCha20-Poly1305 using per-project data keys. Plaintext never lives at rest.
- HMAC-SHA256 webhook signatures
Every webhook delivery carries an Authio-Signature header with an HMAC-SHA256 of the timestamped payload. Consumers should verify with a constant-time compare; our SDKs do this for you.
- Refresh-token rotation
Sessions use short-lived access tokens (15 minutes) and rotating refresh tokens. Refresh reuse triggers a session-family revocation so a stolen refresh token cannot be used twice.
- Rate-limited authentication endpoints
Token-bucket limits on sign-in, magic link send, OTP verify, passkey ceremonies, and SSO ACS. Defaults are conservative; per-project overrides available on Enterprise.
- WebAuthn / FIDO2 — phishing resistant by construction
Passkeys are bound to your registered domain. There is no shared secret to spill, so even a perfect phishing UI cannot complete a credential ceremony against the wrong origin.
- Adaptive risk engine
Signals: impossible-travel detection, new-device fingerprinting, velocity buckets, headless-UA heuristics, geo anomaly, and TOR/VPN tagging. Score elevation triggers step-up rather than outright block.
- Step-up authentication
When risk is elevated or the destination action is sensitive (org settings, API key rotation, recovery flows), the user is prompted for a fresh passkey or magic-link assertion before the session is privileged.
- Audit logs with project-scoped streaming
Every state change is recorded in audit_events with a monthly partition and configurable retention (90 days default). Stream to your own S3, ClickHouse, Datadog, or SIEM via the audit-streams API.
- Customer data export and deletion
DSAR-friendly. Project owners can export users + memberships + audit history as NDJSON via the management API and trigger a hard-delete that cascades through tombstones within 30 days.
What we do not do.
- ✕Store passwords (we do not have a password column anywhere in our schema).
- ✕Log access tokens or refresh tokens in plaintext.
- ✕Expose JWTs in URLs except during the brief redirect step of OAuth/magic-link callbacks; cookies thereafter.
- ✕Charge for SOC 2 reports — they will be available under NDA when reports are issued.
- ✕Sell or share customer data with third parties.
- ✕Run customer queries against a shared training corpus or LLM provider.
Compliance posture.
SOC 2: pre-audit readiness today, Type I audit window targeted for 2027-Q1, Type II for 2027-Q3. We run the controls and gather evidence now so the auditor walks in to six months of trail rather than starting from zero. Full posture, the TSC control matrix, the policy set, the runbooks, and the risk register are on the compliance page.
ISO 27001 + HIPAA BAA (for the Enterprise tier) are on the public roadmap. GDPR and CCPA compliance is in place today; see our Privacy Policy and the sub-processor list.
A coordinated disclosure program runs out of security@authio.com. A public bug bounty with monetary rewards is planned once we exit beta.
What we will do if something breaks.
We commit to a no-jargon incident process. If a security incident materially affects your project we will notify the project owner email of record within 72 hours of confirmed impact (sooner where regulation requires it), with a written description of what happened, what data was affected, what we have done, and what you should do.
Post-incident, we publish a public retrospective with the timeline, the root cause, and the action items — redacted only where customer data or another party’s identity would be exposed. Status updates during the incident live on the status page.
Report a vulnerability: security@authio.com. PGP key on request.