Security
Application Security
Explore how Antei protects against application-layer threats through secure development practices, authentication controls, and vulnerability management.
Application Security
Antei is built with clear boundaries between frontend, backend, and integrations — using scoped access, strong authentication, and practical defaults that reduce risk in real-world usage.
Authentication & Authorization
- OAuth 2.0: Used for all third-party integrations such as Stripe, Gmail, QuickBooks, and Xero
- Scoped Tokens: Only minimum required scopes are requested during authorization
- Session Keys: Managed inside Xano and auto-expired via background cleanup routines
- Retool Role Control: User access to application views is managed per organization and permission level
Role-Based Access Control
- Per-Org Access: All operations are scoped by organization
- Retool Frontend Logic: Views and components are hidden based on user role
- Xano-Level Enforcement: Backend APIs include org ID and session checks in every call
Secure Data Handling
- Input Validation: Structured payloads are validated before processing
- No Direct DB Exposure: Database access is only through authenticated, rate-limited APIs
- Error Handling: Custom error boundaries are implemented to avoid data leakage
Development Hygiene
- Separate Environments: Dev/staging/production have separate data and deployment pipelines
- Minimal Dependencies: Workers and backend services only import vetted, essential libraries
- Secrets Management: Environment variables (tokens, API keys) are passed via secure config — never hardcoded
Frontend Security
- Session Scope in Retool: Session data is scoped to the logged-in user/org
- Cross-Origin Controls: Retool app is hosted on a custom domain with secure headers managed by Cloudflare
- No Credential Injection: OAuth flows are initiated on demand — no sensitive credentials are stored or reused
What We Don’t Claim (Yet)
- No SAST tools or CI/CD pipelines with automated scanning
- No external pen testing or bug bounty program
- No browser-side SRI or CSP enforcement
These are tracked and will be added as the product matures.
Questions?
For technical questions or access control concerns, reach out to security@antei.com.