Skip to contentSkip to navigation

Security

The service is built around safe delivery keys, URL validation, rate limits, and safe delivery logs.

Delivery Keys

  • raw keys are shown only once
  • only key hashes are stored
  • safe key prefixes can be shown in the dashboard
  • revoked keys stop accepting delivery requests

URLs

Auth URLs must include only a non-empty token query parameter. My URLs mode accepts configured website or app URL roots. Own Auth hosted mode replaces the destination with the app's fixed go.own-auth.com bridge URL, which prevents a delivery key from choosing an arbitrary redirect.

Delivery Logs

Delivery logs are for debugging emails your app sends to users, not for storing auth secrets. They should show safe status and error information only.

  • no auth URLs
  • no raw tokens
  • no raw delivery keys
  • no passwords

Limits

Delivery requests are limited by delivery key, recipient, and app daily limit. Limits reduce abuse and stop one app from affecting every other app.

Security | Own Auth Docs