Security

Auth Flow exists to secure identity. We operate under the principle that identity infrastructure must be secure by default, transparent in operation, and resilient against evolving threats.

Auth Flow is designed as modular, composable infrastructure:

In Transit

All connections use TLS 1.3. HTTPS is enforced for all endpoints. HSTS headers prevent downgrade attacks.

At Rest

Data is encrypted using AES-256. Keys are managed via dedicated KMS with automatic rotation.

Credentials

Passwords are hashed with Argon2id and per-user salts. We never store plaintext passwords.

We support passkeys (WebAuthn/FIDO2), magic links, TOTP, and social login. Rate limiting and progressive delays protect against brute force. Sessions use secure, HTTP-only, SameSite cookies.

Fine-grained RBAC with role hierarchies and organization scoping. API keys are capability-scoped and stored as hashes.

SOC 2 Type II certified infrastructure with network segmentation, DDoS protection, geographic redundancy, and automated patching.

24/7 monitoring, comprehensive audit logging, and documented incident response. Breach notification within 72 hours per GDPR.

You are responsible for:

• Securing your applications and implementing proper session handling
• Protecting API keys and never committing them to source control
• Enabling MFA for users when appropriate
• Monitoring audit logs for suspicious activity
• Keeping your integration code up to date

We appreciate responsible disclosure and will acknowledge reports within 24 hours.