Get started

// Account

Security & privacy

Passwordless auth, short-lived sessions, widget isolation, tenant isolation — and where the paperwork lives.

Private by default, boring on purpose. This page is the posture at a glance; the full detail lives in What gets captured and the legal pages linked at the bottom.

Sign-in

Passwordless by design — there are no passwords to phish and no password database to breach:

  • Sign-in is a 6-character one-time email code: 15-minute life, 5 attempts, and aggressively rate-limited (3 codes per 5 minutes per email).
  • Invited teammates skip even that: the invite link is a signed, expiring credential that signs them straight in.

Sessions

  • Access tokens live 15 minutes, in memory. Nothing rides on cookies, so classic CSRF doesn't apply.
  • Refresh tokens rotate on every use (30-day lifetime). Reusing a rotated token is treated as theft: the whole chain burns and every device is signed out. Tokens are bound to the browser and stored server-side only as hashes.
  • Sign out everywhere else revokes every other device's session with one click.
  • Malformed auth responses fail closed — the widget would rather not load than load wrong.

The widget on your page

  • Renders in an isolated shadow root with its own styles; pointer-transparent except for its own UI. It can't restyle your page or intercept your events.
  • Never injects HTML from untrusted strings — no innerHTML, no eval; all text renders through escaping-by-construction, including AI output.
  • URLs are validated at every sink (avatars, issue links, navigation) against an http(s) allow-list.
  • Cookieless requests with short timeouts; every request carries a unique request id.
  • Degrades gracefully when storage is blocked (private mode) or the network fails.

Your data

  • Masked before memory: everything typed is masked by default; passwords, card fields and one-time codes can never be captured. Response bodies are never captured; request bodies are opt-in. No session video, no DOM replay, no keystroke log.
  • Scrubbed twice: known secret shapes are swept in the browser before submission, and payloads are scrubbed again on ingest.
  • Hard tenant isolation: every token is scoped to one project; a cross-tenant ID simply doesn't exist — it's a 404.
  • Encrypted in transit and at rest, and never used to train models.
  • Screenshots handled like evidence: re-encoded server-side (strips anything that isn't pixels), served via 10-minute signed URLs, deleted after 90 days.

Rate limiting

Every endpoint class has purpose-built limits — sign-in codes, invites, uploads, API, webhooks — abuse-resistant by default.

API access

Programmatic access uses rbk_ tokens: explicit scopes, shown once, stored as SHA-256 hashes, 365-day default expiry, last-used visibility, immediate revocation. Read-only tokens are a first-class setup for observer agents — see MCP for coding agents.

The paperwork

All live, all public: