Session & Token Management
Antei enforces robust session control and token verification mechanisms to ensure secure access across all application modules β including Vault, integrations, and critical workflows. Sessions and tokens are encrypted, scoped, and rate-limited for compliance-grade protection.Session Types & Expiry
- Sessions are device-specific
- Vault sessions expire independently of app sessions
- Expiry is enforced by backend system time, not just browser events
Token Architecture
Antei uses opaque, encrypted tokens backed by secure infrastructure:- Stored in Postgres Database with SHA-256 hashing
- Not stored in browser local/session storage
- Passed securely via URL params or internal context
- Validated and decoded before any data access or processing
Scoped Token Flow
Scoped tokens are generated dynamically for operations such as:- Vault file previews
- Temporary access to download links
- One-time API routing for background jobs
- Scoped to a user, org, and action
- Time-limited and invalidated automatically
- Logged and tracked in session activity history
API Keys & Environments
Antei supports API keys for integration use across environments:- Keys are org-specific, role-scoped, and non-retrievable after creation
- Rotate keys regularly and disable unused ones from Settings β Access Tokens
API Protection & Rate Limiting
Every request to Anteiβs platform APIs passes through security checks:Authentication Flow
Each protected route follows this pipeline:- Rate Check β Controls frequency of access
- Token Validation β Checks SHA-256, expiry, and presence
- User Association β Token must match logged-in user
- Org Binding β Prevents cross-org token abuse
- Permission Evaluation β Verifies user role against resource access matrix
Vault-Specific Controls
Vault enforces additional authentication logic:- Sessions expire after 5 minutes of inactivity, requiring password
- Vault sessions span across modules but remain sandboxed
- Every file action uses scoped, auto-expiring tokens
- Events are separately tracked in Audit Trails
Auditability & Observability
- Session token generation, use, and expiry are logged
- Vault events (access, file view, expiry) appear in audit logs
- Admins can see active sessions per user but cannot revoke to prevent accidental invalidation
- Token misuse or errors trigger alert logs for monitoring
Security Highlights
- SHA-256 encrypted tokens
- No browser-side persistent storage
- Rate-limited API access
- Org+user+action scoped auth layers
- Separate controls for Vault
- All flows backed by secure Retool-based storage