Security & Trust

Security is our foundation

AuthFrame is built for developers who care about the security of their users. Here's how we protect your data at every layer.

Security architecture

Defense in depth across every layer of the stack.

Encryption at Rest & in Transit

All data is encrypted at rest using AES-256. All traffic is enforced over TLS 1.2+. Passwords are hashed with bcrypt (cost factor ≥ 12). Client secrets are stored as hashed values — never in plaintext.

Rate Limiting & Brute-Force Protection

Authentication endpoints are rate-limited per IP and per account. Repeated failures trigger exponential backoff and temporary lockouts. Suspicious activity is logged and can trigger alerts.

RS256-Signed JWT Tokens

AuthFrame issues short-lived JWTs signed with RSA private keys (RS256). The corresponding public keys are exposed via the JWKS endpoint for server-side verification — no shared secrets, no symmetric keys.

Audit Logging

Every auth event — signins, signups, failed attempts, admin actions, and configuration changes — is recorded with timestamps, IP addresses, and user-agent data. Logs are immutable and retained for 90 days.

Origin & Domain Validation

The embed only responds to messages from domains you explicitly allowlist. Every postMessage contains an origin check. Cross-origin requests outside your configured domains are rejected.

Infrastructure Isolation

Each organization's data is logically isolated with row-level tenant scoping on every query. Database credentials never leave the server environment. Infrastructure runs on SOC 2 Type II certified cloud providers.

Secret Rotation

Client secrets can be rotated at any time from the dashboard with zero downtime. Old secrets continue to work during a configurable grace period. API keys support independent rotation without affecting active sessions.

Content Security Policy

AuthFrame enforces strict CSP headers across all served pages. We recommend setting `frame-src` in your own CSP to scope iframe embeds to your AuthFrame subdomain only.

Security practices

A checklist of the security controls enforced across all AuthFrame deployments.

Passwords hashed with bcrypt (cost ≥ 12)
JWTs signed with RS256 — no shared secrets
Short token lifetimes with rolling refresh
Mandatory HTTPS — no mixed-content embeds
CSRF protection on all state-mutating endpoints
Parameterized queries — no raw SQL concatenation
Dependency audits on every release
Principle of least privilege across all service accounts
Secrets managed via environment variables — never hardcoded
Regular penetration testing by third-party auditors

Recommended CSP configuration

Set this header on pages that embed the AuthFrame iframe to restrict framing to your AuthFrame origin only.

# HTTP response header
Content-Security-Policy: frame-src https://embedauth.com https://cdn.embedauth.com;

# Or as a <meta> tag
<meta http-equiv="Content-Security-Policy"
  content="frame-src https://embedauth.com https://cdn.embedauth.com;">

Both hosts are required: the iframe URL points at embedauth.com, which redirects to the static CDN at cdn.embedauth.com. CSP enforces frame-src on every hop of the redirect chain. Self-hosters should substitute their own auth and CDN hostnames.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue, please disclose it responsibly by emailing security@embedauth.com. Include a description of the vulnerability, steps to reproduce, and your contact details.

  • We will acknowledge receipt within 48 hours
  • We target a fix or mitigation within 14 days for critical issues
  • We will credit researchers in our release notes (optional)
  • Please do not publicly disclose until a fix is shipped

Ship auth you can trust

Start for free. Upgrade when you need more scale.

Get Started Free Read the Docs