Security Overview

Authentication and session security

• Magic-link authentication with short-lived verification tokens.
• JWT-based API auth with server-side user state validation.
• HTTP-only auth cookie support for API session handling.
• Rate limits on authentication and sensitive endpoints.

Data and transport protections

• TLS enforced in production with HSTS headers.
• Postgres over SSL (`neondb` production runtime).
• Security headers via Helmet and restrictive CSP.
• Server-side input validation and bounded query parameters.

Integration and webhook security

• OAuth2 flows for QuickBooks and Xero with signed state validation.
• Token refresh handling and encrypted transport to provider APIs.
• Provider access/refresh tokens and tenant/company IDs are encrypted at rest.
• Pause-work outbound webhook signing using HMAC-SHA256 and request timestamp headers.
• Per-delivery audit logs for pause-work outbound channels.

Monitoring and incident response

• Application error monitoring (Sentry).
• Audit events for activation, sync, and recovery actions.
• Operational cron health checks and failure telemetry.

Security reports: info@billzy.io