Security
Built for supervised automation.
The security model assumes agents are powerful actors that need clear scopes, approvals, quotas, and reviewable evidence.
Cognito-backed custom authentication with secured dev, staging, and production routes.
Email verification deliverability gates for SES identity, DKIM DNS, Cognito sender configuration, signup, resend, reset, monitoring, and rollback evidence.
Workspace-scoped authorization for humans, admins, billing owners, read-only users, and agents.
Human approval gates for sensitive agent actions and export access.
Scoped agent API tokens with audit logging, quota checks, and rate limits.
Security headers, CORS controls, WAF planning, secret scanning, and encrypted AWS-managed secrets.
Email verification deliverability
Production account verification is gated on 8 evidence-backed checks: SES identity, DKIM DNS, Cognito sender binding, signup delivery, resend delivery, password-reset delivery, bounce and complaint monitoring, and fallback sender rollback.
Source: docs/engineering/cognito-ses-sender-domain.md
Enterprise security review
The security whitepaper summarizes architecture, Cognito authentication, tenant isolation, audit logs, encryption, backups, CI gates, AWS deployment, and agent-specific approval controls.
Read whitepaperView subprocessors