Security by design

Keep authorization in the user's hands

Security is not a page badge; it is enforced through passwords, tokens, tenant boundaries, audits, and credential handling.

01

Platform account security

Passwords use Argon2id hashing. Refresh tokens are stored only as hashes and continuously rotated; replay revokes the whole token family.

  • HttpOnly cookies and CSRF protection
  • Rate limiting for sign-in and sensitive routes
  • Password changes revoke prior sessions
02

Multi-tenant isolation

The user console derives the personal tenant from the authenticated identity and never trusts a tenant_id from the frontend. Every resource request verifies membership and permission.

03

Telegram credential boundary

Sessions are encrypted with an independent key. Administrators cannot view them in plaintext. Users can revoke authorization, and the platform does not provide bulk messaging, member invitations, or spam tools.

04

Traceable administration

Disabling users, revoking sessions, and changing system settings write audit entries that ordinary users cannot modify. Sensitive fields are masked automatically.

Create your secure automation entry point.

After registration and verification, connect Telegram, choose bots, set a schedule, and review execution records.

Create an account