Security

Last updated: February 10, 2026

AuthOS is security-critical infrastructure. We take the responsibility of building secure authentication software seriously.

Security By Design

Memory Safety

AuthOS is written in Rust, eliminating entire classes of memory safety vulnerabilities (buffer overflows, use-after-free) common in other systems languages.

Cryptography Best Practices

  • Password Hashing: Argon2id as the default.
  • Token Signing: RS256 for JWTs.
  • Session Management: Secure, httpOnly, sameSite cookies by default.
  • Forward Secrecy: TLS 1.3 enforcement.

Vulnerability Disclosure

We welcome security researchers to help improve our security. If you discover a vulnerability in the AuthOS codebase:

  1. Do not open a public GitHub issue.
  2. Email security@authos.dev (or info@authos.dev).
  3. Include detailed steps to reproduce.
  4. Allow us reasonable time to address the issue before public disclosure.

Responsible Disclosure Policy

We commit to:

  • Acknowledging your report promptly.
  • Reviewing and patching valid vulnerabilities.
  • Provide credit (if desired) in release notes.

Security Updates

Security patches will be released as new versions on GitHub. We recommend subscribing to releases to stay informed.

Deployment Security

Since you self-host AuthOS, you are responsible for the security of your deployment environment.

We recommend:

  • Running behind a reverse proxy (Nginx, Caddy) with TLS.
  • Restricting database access to the AuthOS service.
  • Regularly updating the AuthOS binary.
  • Monitoring your server logs.

Compliance

AuthOS provides the technical controls (audit logs, access management, encryption) to help you achieve compliance (SOC 2, HIPAA, GDPR) for your application. AuthOS itself is software, not a service provider.

Contact

For security concerns: