Security & SSO
Project Feed uses secure sign-in methods. You can sign in with magic links, OAuth providers, passkeys, or enterprise SSO via OIDC. No passwords are ever stored.
Authentication Methods
Magic Link
Sign in by clicking a link sent to your email. No password required. Links expire after a short window and can only be used once.
Passkeys
Use biometric authentication (Face ID, Touch ID, Windows Hello) or a hardware security key. Passkeys are phishing-resistant and tied to your device.
Two-Factor Authentication (2FA)
Use any authenticator app (Google Authenticator, Authy, 1Password, etc.) to generate time-based codes at sign-in. Available for all users, and workspace owners can require it for everyone.
OAuth Providers
Sign in with Google or Microsoft. OAuth uses the PKCE flow for enhanced security. Your profile picture and name are synced from the provider.
SSO (OIDC)
Connect your identity provider (Okta, Azure AD, Google Workspace, etc.) for centralized authentication. Available on the Pro Plus plan.
Setting Up SSO
- 1.
Configure Your Identity Provider
In your IdP (Okta, Azure AD, etc.), create a new OIDC application. Set the redirect URI to the value shown in your Project Feed SSO settings.
- 2.
Enter OIDC Details
Go to Settings → Security and enter your Client ID, Client Secret, and Issuer URL. Project Feed picks up endpoints automatically from the
.well-known/openid-configurationdocument. - 3.
Test & Enable
Hit the “Test Connection” button to verify everything works. Once it passes, enable SSO. You can also enforce SSO so all members have to sign in through the IdP.
SSO Security Details
PKCE Flow
All OIDC flows use Proof Key for Code Exchange (PKCE) to protect against authorization code interception attacks.
JWT Verification
ID tokens are verified using the IdP's published JWKS keys. Issuer, audience, and expiration are all validated before granting access.
State Parameter
A cryptographic state parameter prevents CSRF attacks during the OAuth/OIDC flow. States expire after 10 minutes.
Token Encryption
Client secrets and refresh tokens are encrypted at rest using AES-256-GCM. They are never exposed in the UI after initial configuration.
Roles & Permissions
Every workspace member has a role that controls what they can do. Roles are checked on every API call through a centralized authorization gate.
Full access to all settings, billing, SSO configuration, and member management. Can delete the workspace.
Can manage members, projects, integrations, billing, and most settings. Cannot delete the workspace.
Can create and edit posts, comment, react, and view the feed. Cannot modify workspace or project settings.
Read-only access to the feed. Can browse posts, add bookmarks, leave comments, and react. Cannot create posts or tasks.
MFA and Session Policy
Project Feed organization settings enforce workspace membership and roles. MFA challenges, enrolled factors, browser session lifetime, and session policy are managed by WorkOS AuthKit.
Managed by WorkOS AuthKit
Configure MFA and session policy in WorkOS/AuthKit. Project Feed consumes AuthKit sessions and access tokens after sign-in.
Project Feed Access
Project Feed enforces org-scoped RBAC with app membership and role checks after AuthKit authenticates the account.
IP Allowlist
Restrict workspace access to a list of approved IP addresses or CIDR ranges. When enabled, requests from unlisted IPs are blocked at the proxy layer before reaching the application.
How It Works
- Go to Settings → Security → IP Allowlist.
- Enable the allowlist and add your office, VPN, or CI/CD IP addresses.
- Save. All requests from IPs not on the list will be denied with a
403response.
Tip: Always add your current IP before enabling the allowlist to avoid locking yourself out.
Infrastructure Security
Audit Logging
All sensitive actions (member changes, setting updates, SSO events) are recorded in an append-only audit log. Logs are accessible to workspace owners and admins.
API Key Authentication
REST API access uses scoped API keys with configurable permissions. Keys are hashed before storage and can be revoked instantly.
Rate Limiting
All API endpoints are rate-limited to prevent abuse. Limits are applied per API key and per IP address with configurable windows.
Media Security
All uploaded media is served through a secure proxy route. Direct R2 URLs are never exposed to clients, preventing unauthorized access to stored files.