Security you can verify
Kotauth is open source, so security is auditable rather than asserted. Here is how the platform protects credentials, data, and sessions.
Password hashing
Passwords are hashed with bcrypt and a per-credential salt. Plaintext is never stored or logged, and work factors are tuned for current hardware.
Encryption at rest
Sensitive secrets are sealed with AES-256-GCM. Tenant backups derive keys with PBKDF2 at 600k iterations before the envelope is encrypted.
Token security
Short-lived access tokens, rotating refresh tokens, and replay detection with full family revocation when a reused token is seen.
Rate limiting & lockout
Authentication endpoints are rate limited, and repeated failures trigger account lockout. TOTP attempts carry their own replay and lockout protection.
Tenant isolation
Each workspace has its own user directory, RS256 signing keys and CORS policy. A compromise in one tenant cannot reach another.
Comprehensive audit logging
65+ event types are recorded in an append-only trail. Every administrative action is attributable to an actor, a time, and a source.
Locked down by default
The container ships with secure defaults so a fresh deployment is not a soft target. No root, no writable filesystem, no privilege escalation.
Responsible disclosure
Found a vulnerability? We appreciate coordinated disclosure. Use the contact form with the subject set to Security, and please do not open a public issue for sensitive reports. We aim to acknowledge valid reports quickly and will keep you updated through resolution.
Report a vulnerability