Security at AuthRAI
We handle authentication and authorization for your AI agents. Security isn't a feature — it's the product.
Ed25519 Signing
Every agent token is cryptographically signed with Ed25519. Verification requires no database lookup — the signature is the proof.
SHA-256 Chain Audit Log
Every event is hash-chained to the previous one. Any retroactive tampering with audit history is cryptographically detectable.
Short-Lived Credentials
Tokens expire in seconds to hours. No standing credentials means a compromised agent's blast radius is bounded by the TTL.
Technical security controls
Timing-safe authentication
Bcrypt comparison runs for unknown emails too — prevents user enumeration via response timing.
RBAC with 5 role tiers
viewer → auditor → developer → admin → owner. Each role enforced at the API layer, not just the UI.
Per-request CSP nonces
Content Security Policy headers with unique nonces per request — mitigates XSS even if an injection point exists.
Rate limiting on every auth endpoint
Login, signup, password reset, and token issuance are individually rate-limited by IP with Redis sliding windows.
HMAC-verified webhooks
Every outbound webhook includes a X-AmpGate-Signature header. Verify before trusting delivery.
HSTS + TLS 1.3
All endpoints served over TLS with HSTS enforced. No HTTP downgrade possible once a browser has visited.
Delegation depth enforcement
Agent sub-delegation chains have a hard maximum depth. A compromised agent can't escalate privileges by chaining delegations.
Session invalidation on password reset
Resetting a password immediately revokes all existing sessions — stolen session cookies become useless within seconds.
Found a vulnerability?
We take security reports seriously. Please disclose responsibly — don't publish details until we've had a chance to fix it.
Report a vulnerability →We aim to respond within 24 hours. Critical findings may be eligible for recognition.