Appearance
Security Model
How varsafe protects your secrets.
Security Architecture Overview
Request flow
- TLS — All connections encrypted in transit
- Validate — Session token hashed and verified
- Authorize — Role and environment permissions checked
- Store — Metadata to database, secret values to encrypted vault
Secrets Storage
What varsafe Stores
In database (metadata only):
- Secret keys (not values)
- Version numbers
- Timestamps
- Team/service relationships
- Audit events
In Encrypted Secrets Store (values):
- Actual secret values
- Encrypted at rest with industry-standard encryption
- Access controlled by varsafe API
What varsafe Cannot See
- Secret values are encrypted at rest
- Decryption happens only for authorized requests
Encryption
Encryption at every layer
- At rest — Secrets are encrypted in storage
- In transit — All connections use TLS
- Session tokens — Cryptographically hashed before storage
- Passwords — Securely hashed with modern algorithms
Authentication
Session Tokens
varsafe uses opaque session tokens:
- Generation — Cryptographically secure random bytes
- Storage — Tokens are hashed before storage (we can't see your token)
- Validation — Token is hashed and looked up server-side
Session Properties
Each session includes:
- User ID
- Team memberships
- Creation timestamp
- Expiration (30 days with rolling renewal)
- Source IP address
- User agent
Multi-Factor Authentication
TOTP (Time-based One-Time Password):
- Standard TOTP algorithm (RFC 6238)
- Works with Google Authenticator, Authy, etc.
- Backup codes provided for recovery
Passkeys (WebAuthn):
- Biometric authentication (Touch ID, Face ID)
- Hardware security keys (YubiKey, etc.)
- Phishing-resistant — credentials are bound to the varsafe domain
- Passkey-only mode — Disables password login entirely, requiring a passkey for every sign-in. Requires at least 2 registered passkeys
Device Trust:
- New devices trigger an email verification code on login
- Verified devices are remembered and skip email verification on future logins
- Skipped for passkey and OAuth logins (already device-bound)
- Manage trusted devices from Profile → Security
Authorization
Role-Based Access Control
CAN_ACCESS(user, secret) =
user.team OWNS secret.service
AND user.role PERMITS secret.environmentRole Permissions
| Role | Unprotected Environments | Protected Environments | Team Management |
|---|---|---|---|
| Owner | Read/Write | Read/Write | Full |
| Admin | Read/Write | Read/Write | Yes |
| Developer | Read/Write | Read-only | No |
| Operator | Read-only | Read-only | No |
| Viewer | Read-only | No Access | No |
| Billing | No Access | No Access | Billing only |
By default, production is marked as protected. Any environment can be protected via settings.
Service Account Tokens
For CI/CD, API tokens provide:
- Scoped to a specific team
- Read/write access to all environments (admin-level)
- No interactive login required
- Separate audit trail
Audit Trail
Every action is logged immutably:
Logged Actions
| Category | Actions |
|---|---|
| Auth | login, logout, login_failed, register, 2fa_enabled, 2fa_disabled, passkey_added, passkey_removed, passkey_only_enabled, passkey_only_disabled |
| Secrets | created, updated, deleted, accessed, exported, rotated |
| Teams | created, updated, deleted, member_invited, member_removed, member_role_changed, member_deactivated, member_reactivated |
| SSO | sso_configured, sso_updated, sso_deleted |
| Tokens | token_created, token_rotated, token_revoked |
| Devices | device_trusted, device_untrusted |
| Services | created, updated, deleted |
Audit Record Structure
json
{
"id": "audit_abc123",
"action": "secret.accessed",
"actorId": "user_xyz",
"actorEmail": "alice@example.com",
"targetType": "secret",
"targetId": "secret_123",
"targetName": "DATABASE_URL",
"teamId": "team_456",
"serviceId": "service_789",
"metadata": {
"environment": "production",
"secretKeys": ["DATABASE_URL", "API_KEY"]
},
"ipAddress": "192.168.1.100",
"userAgent": "varsafe-cli/1.0.0",
"createdAt": "2026-02-15T10:30:00.000Z"
}Audit Guarantees
- Immutable — Events cannot be modified or deleted
- Complete — Every access is logged
- Tamper-evident — Integrity can be verified
- Exportable — SOC2, GDPR, HIPAA formats
Network Security
TLS Configuration
- Modern TLS encryption on all connections
- Strong cipher suites only
- Certificate validation enforced
Rate Limiting
| Endpoint | Limit |
|---|---|
| Sign-in | 10 per minute per IP |
| Sign-up | 5 per minute per IP |
| Forgot password | 5 per 5 minutes per IP |
| Two-factor verify | 10 per minute per IP |
| API requests | 1000 per minute per user |
| Secret injection | 100 per minute per service |
Authenticated users receive a 5x multiplier on general API rate limits.
Data Isolation
Multi-Tenant Architecture
- Each team's data is logically isolated
- Database queries enforce team boundaries
- Secrets are namespaced per team
Namespace Structure
Secrets are organized hierarchically:
Incident Response
Compromise Response
If a secret is compromised:
Immediate actions
- Rotate — Use rotation workflow to generate new value
- Revoke — Invalidate any leaked sessions
- Audit — Review audit log for unauthorized access
- Report — Document incident for compliance
Session Revocation
Sessions can be revoked:
- By user (logout)
- By admin (force logout)
- Automatically (expiration)
- On password change (all sessions)
Revocation is immediate — no waiting for token expiry.
Security Best Practices
For developers
- Never commit secrets — varsafe eliminates this risk
- Use passkeys — More secure than passwords
- Enable 2FA — Adds protection layer
- Review audit logs — Monitor for anomalies
For admins
- Principle of least privilege — Member role for most users
- Regular access reviews — Remove departed team members
- Monitor audit logs — Set up alerts for suspicious activity
- Rotate secrets regularly — Use rotation workflow
For security teams
- Export audit logs — Feed into SIEM
- Review compliance reports — Regular SOC2/GDPR checks
- Test incident response — Simulate compromise scenarios
- Penetration testing — Regular security assessments
Compliance
Compliance framework support
| Framework | How varsafe Helps |
|---|---|
| SOC 2 | Complete audit trail, access controls, encryption |
| GDPR | Processing records, right to access, data portability |
| HIPAA | Access controls, audit logging, encryption |
| PCI DSS | Secrets management, access logging |
See Operations for compliance export procedures.
Reporting Security Issues
Security vulnerabilities should be reported privately:
Contact form — select "Security Issue" in the dropdown.
WARNING
- Do not discuss vulnerabilities publicly before resolution
- Do not test against production systems without authorization
We aim to acknowledge reports within 24 hours and provide fixes within 90 days.