Security & Sessions

Infra0 takes security seriously. All data is encrypted in transit and at rest.

• Sessions are managed via secure, HTTP-only cookies
• Sessions expire automatically after a period of inactivity
• Logging out terminates your session immediately
• Multiple sessions on different devices are supported

• 2FA is available for email/password accounts
• Enable 2FA in Settings > Security
• Supported 2FA methods: Authenticator apps (TOTP)
• Highly recommended for Admin and Manager accounts

• OAuth tokens are stored securely and never exposed in URLs
• OAuth provider tokens can be revoked from within your provider account
• Disconnecting an OAuth provider in Settings will not delete your Infra0 account

• All cloud provider credentials are encrypted before storage
• Credentials are never exposed in plain text in the UI
• Sensitive fields are masked and require explicit action to view
• Credentials can only be accessed by users with the appropriate permission

• Every API call validates the user's permissions server-side
• Frontend route guards prevent unauthorized page access
• Permission denials are logged in the Activity Stream
• Admins can view who has access to what at any time