Application Security

Antei is built with clear boundaries between frontend, backend, and integrations — using scoped access, strong authentication, and practical defaults that reduce risk in real-world usage.

Authentication & Authorization

  • OAuth 2.0: Used for all third-party integrations such as Stripe, Gmail, QuickBooks, and Xero
  • Scoped Tokens: Only minimum required scopes are requested during authorization
  • Session Keys: Managed inside Xano and auto-expired via background cleanup routines
  • Retool Role Control: User access to application views is managed per organization and permission level

Role-Based Access Control

  • Per-Org Access: All operations are scoped by organization
  • Retool Frontend Logic: Views and components are hidden based on user role
  • Xano-Level Enforcement: Backend APIs include org ID and session checks in every call

Secure Data Handling

  • Input Validation: Structured payloads are validated before processing
  • No Direct DB Exposure: Database access is only through authenticated, rate-limited APIs
  • Error Handling: Custom error boundaries are implemented to avoid data leakage

Development Hygiene

  • Separate Environments: Dev/staging/production have separate data and deployment pipelines
  • Minimal Dependencies: Workers and backend services only import vetted, essential libraries
  • Secrets Management: Environment variables (tokens, API keys) are passed via secure config — never hardcoded

Frontend Security

  • Session Scope in Retool: Session data is scoped to the logged-in user/org
  • Cross-Origin Controls: Retool app is hosted on a custom domain with secure headers managed by Cloudflare
  • No Credential Injection: OAuth flows are initiated on demand — no sensitive credentials are stored or reused

File Upload Protection

To ensure the safety of uploaded content, all files (PDFs, CSVs, images, and more) are automatically scanned for malware before being processed or shared. We use Cloudmersive Malware Scanning, a trusted antivirus API, to detect:
  • Viruses
  • Trojans
  • Worms
  • Ransomware
  • Other known threats
This applies to:
  • All uploaded files through our platform
  • Files synced from integrations or user imports
If malware is detected, the file is automatically quarantined or rejected, and no further processing occurs.

This ensures a secure and trusted environment for all users.

What We Don’t Claim (Yet)

  • No SAST tools or CI/CD pipelines with automated scanning
  • No external pen testing or bug bounty program
  • No browser-side SRI or CSP enforcement
These are tracked and will be added as the product matures.

Questions?

For technical questions or access control concerns, reach out to security@antei.com.