Security & SSO

Project Feed is passwordless by design. You can sign in with magic links, OAuth providers, passkeys, or enterprise SSO via OIDC. No passwords are ever stored.

Authentication Methods

Magic Link

Sign in by clicking a link sent to your email. No password required. Links expire after a short window and can only be used once.

Passkeys

Use biometric authentication (Face ID, Touch ID, Windows Hello) or a hardware security key. Passkeys are phishing-resistant and tied to your device.

Two-Factor Authentication (2FA)

Use any authenticator app (Google Authenticator, Authy, 1Password, etc.) to generate time-based codes at sign-in. Available for all users, and workspace owners can require it for everyone.

OAuth Providers

Sign in with Google or Microsoft. OAuth uses the PKCE flow for enhanced security. Your profile picture and name are synced from the provider.

SSO (OIDC)

Connect your identity provider (Okta, Azure AD, Google Workspace, etc.) for centralized authentication. Available on the Pro Plus plan.

Setting Up SSO

1.
Configure Your Identity Provider
In your IdP (Okta, Azure AD, etc.), create a new OIDC application. Set the redirect URI to the value shown in your Project Feed SSO settings.
2.
Enter OIDC Details
Go to Settings → Security and enter your Client ID, Client Secret, and Issuer URL. Project Feed picks up endpoints automatically from the .well-known/openid-configuration document.
3.
Test & Enable
Hit the “Test Connection” button to verify everything works. Once it passes, enable SSO. You can also enforce SSO so all members have to sign in through the IdP.

SSO Security Details

PKCE Flow

All OIDC flows use Proof Key for Code Exchange (PKCE) to protect against authorization code interception attacks.

JWT Verification

ID tokens are verified using the IdP's published JWKS keys. Issuer, audience, and expiration are all validated before granting access.

State Parameter

A cryptographic state parameter prevents CSRF attacks during the OAuth/OIDC flow. States expire after 10 minutes.

Token Encryption

Client secrets and refresh tokens are encrypted at rest using AES-256-GCM. They are never exposed in the UI after initial configuration.

Roles & Permissions

Every workspace member has a role that controls what they can do. Roles are checked on every API call through a centralized authorization gate.

Owner

Full access to all settings, billing, SSO configuration, and member management. Can delete the workspace.

Admin

Can manage members, projects, integrations, billing, and most settings. Cannot delete the workspace.

Member

Can create and edit posts, comment, react, and view the feed. Cannot modify workspace or project settings.

Viewer

Read-only access to the feed. Can browse posts, add bookmarks, leave comments, and react. Cannot create posts or tasks.

MFA Enforcement

Workspace owners can require multi-factor authentication for some or all members. MFA policies are configured in Settings → Security.

Optional

Members can enable 2FA on their own account but are not required to. This is the default.

Required for Admins

Owners and admins must set up 2FA. Regular members and viewers are not affected.

Required for All

Every workspace member must set up 2FA. A configurable grace period (in days) gives members time to enroll before enforcement takes effect.

Session Management

Control how long sessions remain active and how many concurrent sessions a user can have. These settings are available in Settings → Security.

Idle Timeout

Automatically sign out users after a period of inactivity. Configured in minutes.

Max Session Age

Force re-authentication after a maximum session duration, regardless of activity. Configured in hours.

Concurrent Sessions

Limit how many devices a user can be signed in on at the same time. When the limit is exceeded, the oldest session is revoked.

API Key Max Age

Set a maximum lifetime for API keys. Expired keys must be rotated. Helps limit the blast radius of leaked credentials.

IP Allowlist

Restrict workspace access to a list of approved IP addresses or CIDR ranges. When enabled, requests from unlisted IPs are blocked at the proxy layer before reaching the application.

How It Works

Go to Settings → Security → IP Allowlist.
Enable the allowlist and add your office, VPN, or CI/CD IP addresses.
Save. All requests from IPs not on the list will be denied with a 403 response.

Tip: Always add your current IP before enabling the allowlist to avoid locking yourself out.

Infrastructure Security

Audit Logging

All sensitive actions (member changes, setting updates, SSO events) are recorded in an append-only audit log. Logs are accessible to workspace owners and admins.

API Key Authentication

REST API access uses scoped API keys with configurable permissions. Keys are hashed before storage and can be revoked instantly.

Rate Limiting

All API endpoints are rate-limited to prevent abuse. Limits are applied per API key and per IP address with configurable windows.

Media Security

All uploaded media is served through a secure proxy route. Direct R2 URLs are never exposed to clients, preventing unauthorized access to stored files.