This document describes the security measures in place to protect your data, agents, files, and conversations on the AiAxis platform.

How Every Request is Secured — The Request Lifecycle

Every interaction with the AiAxis platform follows a strict, non-negotiable security lifecycle. There are no shortcuts and no exceptions.

1. Authentication is required for every data-access endpoint. You must be logged in before any data can be read, written, or modified. Unauthenticated requests to protected endpoints are rejected immediately.

2. Your identity is double-validated before any access is granted. Every authentication is verified in two independent systems that must agree before access is granted:

• First, your credentials are validated by WorkOS, an industry-leading identity and authentication provider. WorkOS confirms who you are and which organization you belong to.
• Second, your resolved identity is cross-referenced against the Wrench platform database. Your user record and your workspace record must both exist and match.

If either system rejects you — whether WorkOS doesn't recognize your credentials, or the platform database doesn't have a matching user and workspace record — access is denied. This means there are two independent failure points instead of one, and the first relies on a dedicated, enterprise-grade identity provider.

3. Your verified credentials define the scope of the request. When you authenticate — whether through SSO, an API key, or a password — the platform resolves your identity, your Wrench workspace, and your role. These are embedded into every request as non-negotiable context. They cannot be altered, spoofed, or escalated by the request itself.

4. Your workspace identity drives all data access. Every operation the platform performs on your behalf references your authenticated workspace ID and user ID directly from your authentication token. The platform does not accept these values from request parameters — they are extracted exclusively from your verified credentials. These fields are internally reserved to prevent spoofing or impersonation attack vectors.

5. Every query is filtered and scoped to your workspace. All data retrieval is filtered by your workspace ID (and user ID where applicable) at the database level. This is not optional logic that can be bypassed — it is structurally built into every query. No data from another workspace can appear in your results. No cross-contamination is possible.

6. Unauthorized attempts are logged and reviewed. Any request that fails authentication or attempts to access resources outside its authorized scope is immediately logged with full request context. Critical failures trigger real-time notifications to the operations team for review.

Your Account and Identity

AiAxis supports enterprise-grade authentication through single sign-on (SSO), API keys, and password-based login.

• Single Sign-On (SSO): Authenticate through your organization's identity provider via WorkOS. Your organization membership and role are verified on every request.
• API Keys: Each key is tied to your organization and user identity. Keys can be revoked at any time, and all usage is tracked.
• Session Security: Authentication cannot be bypassed or downgraded at any endpoint. If credentials are missing or invalid, the request is rejected immediately.