Security & SSO

Project Feed uses secure sign-in methods. You can sign in with magic links, OAuth providers, passkeys, or enterprise SSO via OIDC. No passwords are ever stored.

Authentication Methods

Magic Link

Sign in by clicking a link sent to your email. No password required. Links expire after a short window and can only be used once.

Passkeys

Use biometric authentication (Face ID, Touch ID, Windows Hello) or a hardware security key. Passkeys are phishing-resistant and tied to your device.

Two-Factor Authentication (2FA)

Use any authenticator app (Google Authenticator, Authy, 1Password, etc.) to generate time-based codes at sign-in. Available for all users, and workspace owners can require it for everyone.

OAuth Providers

Sign in with Google or Microsoft. OAuth uses the PKCE flow for enhanced security. Your profile picture and name are synced from the provider.

SSO (OIDC)

Connect your identity provider (Okta, Azure AD, Google Workspace, etc.) for centralized authentication. Available on the Pro Plus plan.

Setting Up SSO

  1. 1.

    Configure Your Identity Provider

    In your IdP (Okta, Azure AD, etc.), create a new OIDC application. Set the redirect URI to the value shown in your Project Feed SSO settings.

  2. 2.

    Enter OIDC Details

    Go to Settings → Security and enter your Client ID, Client Secret, and Issuer URL. Project Feed picks up endpoints automatically from the .well-known/openid-configuration document.

  3. 3.

    Test & Enable

    Hit the “Test Connection” button to verify everything works. Once it passes, enable SSO. You can also enforce SSO so all members have to sign in through the IdP.

SSO Security Details

PKCE Flow

All OIDC flows use Proof Key for Code Exchange (PKCE) to protect against authorization code interception attacks.

JWT Verification

ID tokens are verified using the IdP's published JWKS keys. Issuer, audience, and expiration are all validated before granting access.

State Parameter

A cryptographic state parameter prevents CSRF attacks during the OAuth/OIDC flow. States expire after 10 minutes.

Token Encryption

Client secrets and refresh tokens are encrypted at rest using AES-256-GCM. They are never exposed in the UI after initial configuration.

Roles & Permissions

Every workspace member has a role that controls what they can do. Roles are checked on every API call through a centralized authorization gate.

Owner

Full access to all settings, billing, SSO configuration, and member management. Can delete the workspace.

Admin

Can manage members, projects, integrations, billing, and most settings. Cannot delete the workspace.

Member

Can create and edit posts, comment, react, and view the feed. Cannot modify workspace or project settings.

Viewer

Read-only access to the feed. Can browse posts, add bookmarks, leave comments, and react. Cannot create posts or tasks.

MFA and Session Policy

Project Feed organization settings enforce workspace membership and roles. MFA challenges, enrolled factors, browser session lifetime, and session policy are managed by WorkOS AuthKit.

Managed by WorkOS AuthKit

Configure MFA and session policy in WorkOS/AuthKit. Project Feed consumes AuthKit sessions and access tokens after sign-in.

Project Feed Access

Project Feed enforces org-scoped RBAC with app membership and role checks after AuthKit authenticates the account.

IP Allowlist

Restrict workspace access to a list of approved IP addresses or CIDR ranges. When enabled, requests from unlisted IPs are blocked at the proxy layer before reaching the application.

How It Works

  1. Go to Settings → Security → IP Allowlist.
  2. Enable the allowlist and add your office, VPN, or CI/CD IP addresses.
  3. Save. All requests from IPs not on the list will be denied with a 403 response.

Tip: Always add your current IP before enabling the allowlist to avoid locking yourself out.

Infrastructure Security

Audit Logging

All sensitive actions (member changes, setting updates, SSO events) are recorded in an append-only audit log. Logs are accessible to workspace owners and admins.

API Key Authentication

REST API access uses scoped API keys with configurable permissions. Keys are hashed before storage and can be revoked instantly.

Rate Limiting

All API endpoints are rate-limited to prevent abuse. Limits are applied per API key and per IP address with configurable windows.

Media Security

All uploaded media is served through a secure proxy route. Direct R2 URLs are never exposed to clients, preventing unauthorized access to stored files.