// Account
Security & privacy
Passwordless auth, short-lived sessions, widget isolation, tenant isolation — and where the paperwork lives.
Private by default, boring on purpose. This page is the posture at a glance; the full detail lives in What gets captured and the legal pages linked at the bottom.
Sign-in
Passwordless by design — there are no passwords to phish and no password database to breach:
- Sign-in is a 6-character one-time email code: 15-minute life, 5 attempts, and aggressively rate-limited (3 codes per 5 minutes per email).
- Invited teammates skip even that: the invite link is a signed, expiring credential that signs them straight in.
Sessions
- Access tokens live 15 minutes, in memory. Nothing rides on cookies, so classic CSRF doesn't apply.
- Refresh tokens rotate on every use (30-day lifetime). Reusing a rotated token is treated as theft: the whole chain burns and every device is signed out. Tokens are bound to the browser and stored server-side only as hashes.
- Sign out everywhere else revokes every other device's session with one click.
- Malformed auth responses fail closed — the widget would rather not load than load wrong.
The widget on your page
- Renders in an isolated shadow root with its own styles; pointer-transparent except for its own UI. It can't restyle your page or intercept your events.
- Never injects HTML from untrusted strings — no
innerHTML, noeval; all text renders through escaping-by-construction, including AI output. - URLs are validated at every sink (avatars, issue links, navigation) against an http(s) allow-list.
- Cookieless requests with short timeouts; every request carries a unique request id.
- Degrades gracefully when storage is blocked (private mode) or the network fails.
Your data
- Masked before memory: everything typed is masked by default; passwords, card fields and one-time codes can never be captured. Response bodies are never captured; request bodies are opt-in. No session video, no DOM replay, no keystroke log.
- Scrubbed twice: known secret shapes are swept in the browser before submission, and payloads are scrubbed again on ingest.
- Hard tenant isolation: every token is scoped to one project; a cross-tenant ID simply doesn't exist — it's a 404.
- Encrypted in transit and at rest, and never used to train models.
- Screenshots handled like evidence: re-encoded server-side (strips anything that isn't pixels), served via 10-minute signed URLs, deleted after 90 days.
Rate limiting
Every endpoint class has purpose-built limits — sign-in codes, invites, uploads, API, webhooks — abuse-resistant by default.
API access
Programmatic access uses rbk_ tokens: explicit scopes, shown once, stored as SHA-256 hashes, 365-day default expiry, last-used visibility, immediate revocation. Read-only tokens are a first-class setup for observer agents — see MCP for coding agents.
The paperwork
All live, all public: