Dashboard Security

HMS Sovereign's dashboard is built with security as a foundational requirement. This document describes the authentication model, access controls, and protective measures in place for all dashboard users.

Authentication

All accounts are secured with email/password authentication. Passwords must be at least 8 characters and are never stored in plaintext. Authentication is handled via an open-source identity server (GoTrue) running on HMS Sovereign's own EU-hosted infrastructure.

PKCE Flow

Authentication tokens are exchanged using the Proof Key for Code Exchange (PKCE) flow. This prevents authorization code interception attacks by binding the token exchange to the originating client. All email confirmation links, password reset links, and OAuth callbacks use PKCE.

GitHub OAuth

Users can sign in with GitHub as an alternative to email/password. The OAuth code is exchanged server-side before any session is established.

Session Management

Sessions are managed via secure, HTTP-only cookies. Sessions are automatically refreshed on activity and validated on every request by the server-side middleware. There are no long-lived tokens stored in browser localStorage.

Two-Factor Authentication (2FA)

HMS Sovereign supports TOTP-based two-factor authentication (Time-based One-Time Password), compatible with any standard authenticator app (Google Authenticator, Authy, 1Password, etc.).

How It Works

Enable 2FA in Settings → Security

Scan the QR code with your authenticator app

Enter the 6-digit code to confirm enrollment

On future logins, you will be prompted for your 6-digit code after your password

Assurance Levels

The authentication system tracks assurance levels per session:

Level	Meaning
AAL1	Authenticated with password only
AAL2	Authenticated with password + second factor (2FA)

Protected routes require at minimum AAL1. Users with 2FA enrolled are required to complete AAL2 before accessing the dashboard.

Disabling 2FA

2FA can be disabled from Settings → Security. This requires re-authenticating with your current TOTP code.

API Key Security

Key Format

API keys use the format fl_<64 hex characters>, generated using cryptographically secure random bytes.

Storage

API keys are never stored in plaintext in the database. Each key is encrypted and stored in a dedicated secrets vault (using envelope encryption). The database only stores a reference ID to the vault entry, not the key itself.

Usage

Keys are passed as Bearer tokens in the Authorization header:

Authorization: Bearer fl_...

Keys are validated on every API request before any data is returned or action is taken.

Rotation

API keys can be regenerated at any time from Settings → API Keys. Regenerating a key immediately invalidates the previous key. Old vault entries are deleted on rotation.

Access Control

Role-Based Access

The dashboard distinguishes between two roles:

Role	Access
User	Full access to their own organization's data
Admin	Additional access to platform-wide admin features (account management, credits, support tickets)

Organization Isolation

All data is scoped to your organization. Every database query filters by org_id, ensuring organizations cannot access each other's data. This is enforced both at the application layer and at the database level via Row-Level Security (RLS) policies.

Protected Routes

The following routes require an active authenticated session:

/dashboard — Overview

/agents — Voice assistants

/numbers — Phone numbers

/calls — Call history

/usage — Usage & billing

/settings — Account settings

/integrations — BYOK & provider setup

/campaigns — Outbound campaigns

/admin — Admin panel (admin role required)

Unauthenticated requests to protected routes are redirected to the login page.

Email Verification & Password Reset

Email Verification

New accounts receive a confirmation email before access is granted. The confirmation link uses a time-limited, signed token exchanged via the PKCE flow. Unverified accounts cannot sign in.

Password Reset

Request a reset link on the Forgot Password page

A signed recovery link is sent to your email address

Clicking the link initiates a PKCE token exchange

You are directed to set a new password (minimum 8 characters)

Recovery links expire after a short time window and can only be used once.

Rate Limiting

API endpoints are rate-limited to prevent abuse:

Endpoint	Limit
API requests	100 requests/minute per API key
Outbound calls	20 requests/minute per organization
Domain management	5 requests/hour per organization

Rate limit status is returned in response headers:

X-RateLimit-Remaining — Requests remaining in the current window

X-RateLimit-Reset — Unix timestamp when the limit resets

Infrastructure Security

Hosting: Dashboard is hosted on Vercel with edge network protection

Data: All customer data is stored on HMS Sovereign's own EU-hosted infrastructure (Nuremberg, Germany)

Encryption in transit: All connections use TLS. HTTP is redirected to HTTPS.

Encryption at rest: API keys and BYOK secrets are encrypted at rest using envelope encryption in the secrets vault

Error tracking: Errors are monitored via Sentry. Session replays have maskAllText and blockAllMedia enabled to prevent sensitive content from being captured

Responsible Disclosure

If you discover a security vulnerability in the HMS Sovereign dashboard or API, please contact us at support@flireo.com. We aim to respond within 48 hours and will work with you to resolve the issue responsibly.

Authentication#

Password-Based Login#

PKCE Flow#

GitHub OAuth#

Session Management#

Two-Factor Authentication (2FA)#

How It Works#

Assurance Levels#

Disabling 2FA#

API Key Security#

Key Format#

Storage#

Usage#

Rotation#

Access Control#

Role-Based Access#

Organization Isolation#

Protected Routes#

Email Verification & Password Reset#

Email Verification#

Password Reset#

Rate Limiting#

Infrastructure Security#

Responsible Disclosure#