Security

Authentication

• OAuth sign-in — we support Google, GitHub, Slack, Microsoft, Apple, and Yandex. When you use OAuth, we never see or store your password.
• Password hashing — if you use email/password login, your password is hashed with an industry-standard algorithm. We never store plaintext passwords.
• Session management — sessions use short-lived JWT access tokens (24 hours) and refresh tokens (90 days). Sessions can be revoked at any time from Account Settings.
• OAuth with PKCE — our MCP and API OAuth flows use PKCE (Proof Key for Code Exchange) to prevent authorization code interception.

Encryption

• In transit — all connections to oack.io, app.oack.io, and api.oack.io use TLS (HTTPS). No exceptions. API endpoints reject plaintext HTTP.
• Status pages — each status page gets its own SSL certificate provisioned automatically via Let's Encrypt.
• Checker connections — checkers connect to the Oack API over TLS. Checker-to-target connections use the protocol configured by the monitor (HTTP or HTTPS).

Access Control

• Role-based access — account-level roles (Owner, Admin, Billing Admin, Member, Guest) and team-level roles (Owner, Admin, Member) restrict who can view, create, or modify resources.
• Team isolation — monitors, alert channels, and probe data are scoped to teams. Members only see teams they belong to.
• API keys — API keys are stored as SHA-256 hashes. Only the key prefix (oack_) is visible in the UI after creation. Keys can be scoped with specific permissions and expiration dates.
• MCP read-only — the Model Context Protocol integration provides read-only access. AI agents can query your monitoring data but cannot modify monitors, channels, or settings.

Infrastructure

• Hosting — the Oack platform runs on dedicated infrastructure with restricted access. Only the founder has production access.
• Database — encrypted connections with regular automated backups.
• Edge layer — hardened TLS configuration, rate limiting, and request filtering at the network edge.
• Observability — request tracing via X-Request-ID, Server-Timing headers, and structured logging for audit trails.

Data Protection

• Webhook HMAC signatures — all outgoing webhook payloads are signed with HMAC so you can verify they originated from Oack.
• Share link redaction — when sharing probe data externally, you can redact monitor names, checker IPs, source ASNs, and HTTP bodies/auth headers. Redaction is applied server-side before any data leaves our system.
• Automatic data cleanup — probe data is retained per plan limits (7/90/365 days). Unverified email subscriptions are deleted after 24 hours. Deleted accounts are permanently purged after 30 days.
• No third-party tracking — we do not use analytics cookies, tracking pixels, or advertising scripts on our website or platform.

Checker Security

Network checkers are agents that run on your infrastructure (or ours) and perform health checks.

• Token-based auth — checkers authenticate with the API using device-flow OAuth tokens stored in a local SQLite database.
• Offline resilience — if a checker loses connectivity, probe results are buffered locally in a SQLite ring buffer and replayed when the connection is restored. No data is lost.
• Minimal privileges — checkers only need network access to your monitored endpoints and the Oack API. They do not require root access (except NET_RAW capability for packet captures, which is optional).

What We're Working On

We're an early-stage product and committed to improving our security posture. On our roadmap:

• Two-factor authentication (TOTP and WebAuthn)
• SSO/SAML for enterprise accounts
• Audit logging visible to account admins
• SOC 2 Type II compliance

We'll update this page as we ship these features.

Reporting Vulnerabilities

If you discover a security vulnerability in Oack, please report it responsibly. We appreciate your help keeping our users safe.

Questions?

If you have security questions or concerns:

• Email: [email protected]
• Community: Discord · Telegram