Security

Identity & Access Management

Authentication, authorization, and session controls.

Authentication

Email and password (bcrypt), OAuth SSO (Google, Microsoft, and others), SAML SSO (enterprise),
primary passkey login, and MFA (TOTP, email OTP, WebAuthn second factor, recovery codes).

Roles

Owner, Administrator, and Member roles govern organization access. Permissions are enforced at organization, workspace, and room levels.

Session security

Sessions use HTTP-only cookies with Secure and SameSite=Lax in production. Sessions invalidate on password change and sign-out.