← Portal
Enterprise Grade

Security

Enterprise-grade security with JWT authentication, API key management, TLS encryption, and configurable rate limiting at every level.

Security Docs Audit Source Code

Security Pillars

Multi-layered security at every level of the stack

Authentication

  • JWT tokens with configurable expiration
  • API key authentication for server-to-server
  • Per-channel publish/subscribe permissions
  • Role-based access control (RBAC)
  • API key rotation without downtime

Encryption

  • TLS 1.3 for all connections (WSS)
  • HMAC-SHA256 signed webhook payloads
  • API keys hashed at rest (bcrypt)
  • JWT secrets never exposed to clients
  • Encrypted database connections

Protection

  • Configurable per-app rate limiting
  • Per-channel message throttling
  • Per-user connection limits
  • Message size validation & sanitization
  • DDoS protection at infrastructure level

How We Protect Your Data

Authentication Flow

Clients authenticate using JWT tokens issued by your backend. Tokens include channel permissions, expiration, and custom claims. The server validates tokens on every connection and rejects expired or malformed tokens instantly.

End-to-End Encryption

All data in transit is encrypted using TLS 1.3 (WSS). Database connections use encrypted channels. API keys are stored as bcrypt hashes — even we cannot read them. Webhook payloads are signed with HMAC-SHA256.

Rate Limiting & Throttling

Three-tier rate limiting engine: per-application, per-channel, and per-user. Uses sliding window algorithm to prevent burst abuse. Configurable limits with automatic client notification on throttle.

Audit Logging

Every administrative action is logged with timestamp, actor, and IP address. Connection events, authentication failures, and rate limit violations are tracked in real-time and visible in your dashboard.

Input Validation

All incoming messages are validated for size, structure, and content type. Channel names are sanitized. WebSocket frames are strictly validated per RFC 6455. Malformed payloads are rejected immediately.

Automatic Key Rotation

API keys can be rotated without downtime. Old keys continue working during a configurable grace period. JWT secrets support rotation with dual-validation for seamless transitions.

Infrastructure Security

wSocket servers run in isolated environments with network-level protection. Every component is hardened and continuously monitored.

  • Containerized deployments with minimal attack surface
  • Network isolation between services (Redis, MongoDB, Backend)
  • Automated vulnerability scanning on every build
  • No secrets in code — all sensitive config via environment variables
  • Regular dependency updates and security patches
  • Open-source codebase — fully auditable by the community

Security Headers

X-Content-Type-Options:nosniff
X-Frame-Options:DENY
Strict-Transport-Security:max-age=31536000
X-XSS-Protection:1; mode=block
Content-Security-Policy:default-src 'self'
Referrer-Policy:strict-origin

Transparency & Trust

Open Source

Full source code available on GitHub. Audit every line.

MIT License

Free to use, modify, and deploy without restrictions.

Self-Hostable

Run on your own infrastructure for complete data control.

No Telemetry

Zero tracking, zero analytics collection, zero phone-home.

Learn about our security model

Join developers building the next generation of realtime applications.

Start Free Open Docs