Security

Security you can verify

Kotauth is open source, so security is auditable rather than asserted. Here is how the platform protects credentials, data, and sessions.

Password hashing

Passwords are hashed with bcrypt and a per-credential salt. Plaintext is never stored or logged, and work factors are tuned for current hardware.

Encryption at rest

Sensitive secrets are sealed with AES-256-GCM. Tenant backups derive keys with PBKDF2 at 600k iterations before the envelope is encrypted.

Token security

Short-lived access tokens, rotating refresh tokens, and replay detection with full family revocation when a reused token is seen.

Rate limiting & lockout

Authentication endpoints are rate limited, and repeated failures trigger account lockout. TOTP attempts carry their own replay and lockout protection.

Tenant isolation

Each workspace has its own user directory, RS256 signing keys and CORS policy. A compromise in one tenant cannot reach another.

Comprehensive audit logging

65+ event types are recorded in an append-only trail. Every administrative action is attributable to an actor, a time, and a source.

Runtime hardening

Locked down by default

The container ships with secure defaults so a fresh deployment is not a soft target. No root, no writable filesystem, no privilege escalation.

Non-root container
Runs as UID 10001 with no-new-privileges set.
Read-only filesystem
Immutable runtime surface with explicit writable mounts.
Air-gapped capable
No outbound calls required to run in isolated networks.
Bootstrap keys from env
Initial API keys are env-managed, never written to disk in plaintext.

Responsible disclosure

Found a vulnerability? We appreciate coordinated disclosure. Use the contact form with the subject set to Security, and please do not open a public issue for sensitive reports. We aim to acknowledge valid reports quickly and will keep you updated through resolution.

Report a vulnerability