Security
How we protect your data and your users
OAuth 2.0 & OIDC
Built on open standards with full OpenID Connect support for interoperable, standards-based authentication.
Encryption
TLS 1.3 for all data in transit. AES-256 encryption for all data at rest. No exceptions.
Multi-Factor Auth
TOTP, WebAuthn/passkeys, and push authentication provide layered security for every account.
PKCE
Proof Key for Code Exchange required on all OAuth flows, preventing authorization code interception attacks.
Brute Force Protection
Automatic account lockout with configurable thresholds protects against credential stuffing and brute force attacks.
Audit Logging
Comprehensive event tracking across 27 event types with 90-day retention and exportable logs.
Security in depth
Every layer of the ZewstID platform is designed with security as a first-class concern.
Architecture
- OAuth 2.0 and OpenID Connect compliant identity provider
- RS256-signed JWT tokens issued exclusively by the identity provider
- Public JWKS endpoint for independent token verification
- Battle-tested open-source identity provider foundation
- Strict separation between API gateway and token issuance
- No custom token generation outside the identity provider
Encryption
- TLS 1.3 enforced on all client-to-server connections
- Bcrypt with configurable work factor for password hashing
- AES-256 encryption for all sensitive data at rest
- No plaintext storage of secrets, tokens, or credentials
- Secure key management with regular key rotation
- HTTP Strict Transport Security (HSTS) headers on all domains
Authentication Security
- PKCE required for all public and confidential OAuth clients
- Brute force protection with configurable lockout policies
- Rate limiting enforced on all API and authentication endpoints
- Session management with secure, httpOnly, SameSite cookies
- CSRF protection built into all SDK integrations
- Automatic session invalidation on password change
Infrastructure
- Containerized deployment with isolated service architecture
- Network segmentation between public-facing and internal services
- Regular security patches and dependency updates
- No shared tenancy on free tier data storage
- Automated health checks and service monitoring
- Database encryption and secure backup procedures
Vulnerability Reporting
- Responsible disclosure program for security researchers
- Report vulnerabilities to [email protected]
- Acknowledgment of all reports within 48 hours
- Coordinated disclosure timeline agreed with reporters
- Credit given to researchers in security advisories (with consent)
- No legal action against good-faith security researchers
Audit Logging
- 27 authentication and authorization event types tracked
- 90-day log retention on all plans
- Per-application event filtering in the admin dashboard
- Exportable logs in standard formats for compliance
- Real-time event streaming available on Pro and Enterprise plans
- Tamper-evident log storage with integrity verification
Questions about security?
We take security seriously. Reach out to our team for security audits, compliance documentation, or vulnerability reports.