Authproof Cloud is built on cryptographic primitives, not policy promises. Here is exactly what we do and how it works.
Every delegation receipt is signed using ECDSA P-256 via the Web Crypto API. This is the same elliptic curve algorithm used in banking and government digital signatures. The user's private key never leaves their hardware secure enclave.
Operator instructions, scope schemas, and model state commitments are hashed using SHA-256 before being included in the receipt. Any modification to the original content produces a completely different hash and is immediately detectable.
Every log entry receives a cryptographic timestamp from a trusted timestamping authority. RFC 3161 timestamps are used in legally admissible digital evidence and cannot be backdated or falsified.
The action log is append-only by design. Entries can never be modified or deleted — only added. Every entry contains a hash of the previous entry. Modifying any record breaks the chain and is immediately detectable by any verifier.
| What | How |
|---|---|
| Data in transit | All API traffic uses TLS 1.3. No unencrypted connections are accepted. HTTPS is enforced on all endpoints. |
| Data at rest | All data stored in Supabase PostgreSQL is encrypted at rest using AES-256. Receipt hashes, verification records, and account data are encrypted in the database. |
| API authentication | API keys are hashed before storage using bcrypt. Plain text API keys are never stored. Keys are transmitted only over HTTPS and never logged. |
| Infrastructure provider | Authproof Cloud runs on Vercel for compute and Supabase for database storage. Both providers maintain SOC 2 Type II certification. Data is stored in US East region by default. |
| Dependency management | The open source SDK has 1,151 tests across 14 suites with zero failures. Dependencies are reviewed and pinned. The SDK is MIT licensed and auditable by anyone. |
| Secret management | Environment variables and secrets are managed through Vercel's encrypted environment system. No secrets are committed to the repository. |
Authproof is designed so that your private signing key never leaves your hardware. We use WebAuthn and FIDO2, which leverage your device's secure enclave — the same protected chip that stores Face ID and fingerprint data on modern devices. The secure enclave performs the cryptographic signing operation internally. The private key is never exported, never transmitted, and never accessible to Authproof or any other party.
This means that even if Authproof Cloud's infrastructure were completely compromised, an attacker could not forge delegation receipts signed by your users. The receipts require the user's hardware key to create.
If you discover a security vulnerability in Authproof Cloud or the open source SDK, please report it to ryan@authproof.dev with the subject line Security Vulnerability Report.
We will acknowledge your report within 24 hours and provide a timeline for resolution. We do not currently have a formal bug bounty program, but we are grateful for responsible disclosure and will credit researchers who report valid findings.
Please do not publicly disclose vulnerabilities until we have had reasonable time to address them.
We believe in transparency about where we are and where we are going. These are security and compliance milestones we have not yet reached:
We respond to all security inquiries within 24 hours.