> ## Documentation Index
> Fetch the complete documentation index at: https://docs.antei.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Application Security

> Explore how Antei protects against application-layer threats through secure development practices, authentication controls, and vulnerability management.

<Icon icon="shield-halved" size={26} color="#4B5563" />

# Application Security

Antei is built with clear boundaries between frontend, backend, and integrations — using scoped access, strong authentication, and practical defaults that reduce risk in real-world usage.

***

## Authentication & Authorization

* **OAuth 2.0**: Used for all third-party integrations such as Stripe, Gmail, QuickBooks, and Xero
* **Scoped Tokens**: Only minimum required scopes are requested during authorization
* **Session Keys**: Managed inside Xano and auto-expired via background cleanup routines
* **Retool Role Control**: User access to application views is managed per organization and permission level

***

## Role-Based Access Control

* **Per-Org Access**: All operations are scoped by organization
* **Retool Frontend Logic**: Views and components are hidden based on user role
* **Xano-Level Enforcement**: Backend APIs include org ID and session checks in every call

***

## Secure Data Handling

* **Input Validation**: Structured payloads are validated before processing
* **No Direct DB Exposure**: Database access is only through authenticated, rate-limited APIs
* **Error Handling**: Custom error boundaries are implemented to avoid data leakage

***

## Development Hygiene

* **Separate Environments**: Dev/staging/production have separate data and deployment pipelines
* **Minimal Dependencies**: Workers and backend services only import vetted, essential libraries
* **Secrets Management**: Environment variables (tokens, API keys) are passed via secure config — never hardcoded

***

## Frontend Security

* **Session Scope in Retool**: Session data is scoped to the logged-in user/org
* **Cross-Origin Controls**: Retool app is hosted on a custom domain with secure headers managed by Cloudflare
* **No Credential Injection**: OAuth flows are initiated on demand — no sensitive credentials are stored or reused

***

### File Upload Protection

To ensure the safety of uploaded content, all files (PDFs, CSVs, images, and more) are automatically scanned for malware before being processed or shared.

We use **Cloudmersive Malware Scanning**, a trusted antivirus API, to detect:

* Viruses
* Trojans
* Worms
* Ransomware
* Other known threats

This applies to:

* All uploaded files through our platform
* Files synced from integrations or user imports

If malware is detected, the file is automatically quarantined or rejected, and no further processing occurs.

## This ensures a secure and trusted environment for all users.

## What We Don’t Claim (Yet)

* No SAST tools or CI/CD pipelines with automated scanning
* No external pen testing or bug bounty program
* No browser-side SRI or CSP enforcement

These are tracked and will be added as the product matures.

***

## Questions?

For technical questions or access control concerns, reach out to [security@antei.com](mailto:security@antei.com).
