Security

Passwords hashed with bcrypt (cost 12)

Passwords are never stored. We store a bcrypt hash with cost factor 12 — the same standard used by most modern auth systems.

Short-lived access tokens (JWT HS256)

Access tokens expire quickly. Each token carries only what's needed for the request: user ID, org ID, role, and email.

Refresh tokens stored as SHA-256 hashes

The actual refresh token is never stored. Only its SHA-256 hash is persisted. Tokens are generated using cryptographically secure random bytes.

Refresh cookies: HttpOnly, Secure, SameSite=Lax

Refresh tokens are transmitted only via HttpOnly cookies — inaccessible to JavaScript. The Secure flag ensures they're never sent over plain HTTP.

Password reset invalidates all sessions

When you reset your password, every active refresh token for your account is immediately revoked. You're the only one who can log back in.

Google OAuth with CSRF state validation

OAuth state parameters are validated on callback to prevent CSRF attacks. State cookies expire in 5 minutes.

Agent tokens stored as hashes only

Agent tokens are shown once at creation, then only their hash is stored. Even if the database were compromised, the raw tokens wouldn't be exposed.

Outbound-only agent: no open ports

The agent connects outward to the Kernus API. It does not listen on any port and cannot be reached from the network.

Optional token expiration

Agent tokens can be set to expire automatically. Token last-used timestamps are tracked so you know which tokens are still active.

Immediate revocation

Revoking a token takes effect on the next request. You can revoke individual tokens or all tokens for your organization at once.

Agent is fully open source

Every line of code that runs on your server is publicly auditable on GitHub. You're not trusting a black box.

All traffic over TLS

The API does not accept plain HTTP connections in production. TLS termination is handled at the infrastructure layer.

Rate limiting per organization

API requests are rate-limited by organization using a token bucket algorithm. This prevents both abuse and accidental DoS from misconfigured agents.

CORS restricted to known origins

The API only accepts cross-origin requests from explicitly allowed origins. Wildcards are not used.

X-Content-Type-Options and X-Frame-Options headers

Security headers are applied to all responses: nosniff prevents MIME type sniffing, DENY blocks framing to prevent clickjacking.

Role-based access control

Organization roles (owner, admin, member) are enforced at the middleware level on every protected route.

Metrics partitioned by organization in ClickHouse

Time series data is physically partitioned per org. Queries are scoped by org_id at the database level — not just filtered in application code.

Cascading deletes on all org data

Deleting an organization removes all associated data — memberships, tokens, alert rules, and metrics — via database-level cascades.

Email verification required before access

New accounts cannot use the dashboard until their email is verified. Verification tokens expire in 24 hours and are single-use.