Security

Last updated: December 23, 2025

At AuthOS, security isn’t just a feature—it’s the foundation of everything we build. As an identity platform, we understand that you’re trusting us with one of the most critical aspects of your application.

Security Architecture

Encryption

In Transit

  • TLS 1.3 for all API communications
  • Certificate pinning for mobile SDKs
  • Perfect forward secrecy enabled

At Rest

  • AES-256 encryption for sensitive data
  • Hardware security modules (HSM) for key management
  • Encrypted database backups

Authentication Security

  • Password Hashing: Argon2id with secure parameters
  • Token Security: Short-lived JWTs with RS256 signing
  • Session Management: Secure, httpOnly, sameSite cookies
  • Rate Limiting: Protection against brute-force attacks

Infrastructure

  • Isolation: Tenant data is logically separated
  • Network Security: Private networks, firewalls, and DDoS protection
  • Monitoring: 24/7 security monitoring and alerting
  • Backups: Encrypted, geographically distributed backups

Security Features

For Your Users

Feature Description
Multi-Factor Authentication TOTP, WebAuthn/Passkeys, Email OTP
Passwordless Login WebAuthn, Magic Links
Device Trust Remember trusted devices securely
Session Management View and revoke active sessions

For Your Organization

Feature Description
SSO Integration SAML 2.0, OIDC support
Audit Logs Comprehensive authentication event logging
IP Allowlisting Restrict access by IP address
Anomaly Detection Suspicious login detection

Compliance

We are committed to meeting industry compliance standards:

  • SOC 2 Type II: Audit in progress
  • GDPR: Compliant data handling and user rights
  • CCPA: California privacy requirements
  • HIPAA: Available for healthcare customers (Enterprise plan)

See our Compliance page for details.

Vulnerability Disclosure

Responsible Disclosure

We welcome security researchers to help improve our security. If you discover a vulnerability:

  1. Email info@authos.dev
  2. Include detailed steps to reproduce
  3. Allow us reasonable time to address the issue
  4. Do not publicly disclose before we’ve resolved it

Bug Bounty

We offer rewards for qualifying security vulnerabilities. Contact us for program details.

Security Practices

Development

  • Secure coding training for all engineers
  • Code review requirements for all changes
  • Static analysis and dependency scanning
  • Regular penetration testing by third parties

Operations

  • Principle of least privilege access
  • Multi-factor authentication required for all staff
  • Background checks for employees
  • Incident response procedures documented and tested

Incident Response

In the event of a security incident:

  1. Detection: Automated monitoring and alerting
  2. Containment: Immediate isolation of affected systems
  3. Investigation: Root cause analysis
  4. Notification: Customers notified within 72 hours per GDPR
  5. Remediation: Fix deployed and verified
  6. Review: Post-incident review and improvements

Contact

For security concerns or to report a vulnerability:

Contact Security Team