Security

How Antara keeps your identity safe

No Cross-App Tracking

Each app receives a unique, 128-bit random slug for your identity. Slugs are cryptographically random and cannot be correlated across apps. There is no shared user ID, no email, and no phone number visible to applications.

You
Antara
App A sees: xK9m...
App B sees: p3Yj...

Encryption Model

  • Email at rest — encrypted with AES-256-GCM using envelope encryption. Each record has a unique data encryption key (DEK), itself encrypted by a key-encryption key (KEK).
  • Email lookup — uses a SHA-256 hash for matching. The plaintext email is never stored unencrypted.
  • Tokens — all session and API tokens use opaque, high-entropy random values. No JWTs containing user data are sent to clients.

Authentication

  • Passwordless — magic link authentication only. No password database to breach.
  • OAuth 2.0 + PKCE — apps authenticate users via the Authorization Code flow with Proof Key for Code Exchange (S256). No client secrets required.
  • Session tokens — short-lived access tokens (5 min) + rotating refresh tokens. Refresh token reuse revokes the entire session chain.

API Security

  • Token exchange — API keys are never used directly. They are exchanged for short-lived access tokens (5 min TTL).
  • Rate limiting — dual-layer: KV-based soft limits for general traffic, Durable Object hard limits for critical endpoints (token exchange, OAuth).
  • Webhook signatures — all webhook payloads are signed with HMAC-SHA256. Constant-time comparison prevents timing attacks.

Infrastructure

  • Runs on Cloudflare Workers — edge-native, no single point of failure
  • D1 database with tenant-isolated queries
  • Strict Content Security Policy (CSP) on every response
  • All secrets stored as Cloudflare secrets (never in code)

Trust Governance

Security in Antara includes ecosystem governance:

  • Every app has a trust level and dynamic trust score
  • Moderation states escalate from warn → restrict → disabled based on safety signals
  • Users can review trust factors directly in dashboard before interacting with apps

Read the full framework in Trust Model.

Reporting a Vulnerability

Found something? Email [email protected]. We take all reports seriously and respond within 48 hours.