Authentication for clients
Last updated: Jun 12, 2026
Our platform only uses SSO with Bitbucket, Google, and Microsoft Accounts.
The OAuth 2.0 protocol is used, which is an industry-standard authorization framework known for its robust security. It only accepts login attempts from trusted URLs and issues industry-standard 2048-byte access tokens. JSON Web Tokens (JWT) is integrated with the OAuth 2.0 protocol to provide an additional layer of security, utilizing secure algorithms for token generation and verification.
We employ JWT with secure algorithms such as:
- ES512 (ECDSA with SHA-512): A strong asymmetric algorithm utilizing ECDSA (Elliptic Curve Digital Signature Algorithm) with SHA-512 for secure data encryption and digital signatures.
- RS512 (RSA with SHA-512): A robust asymmetric algorithm utilizing RSA public/private key pairs with SHA-512 for secure data encryption and decryption.
By implementing JWT with these secure algorithms, we maintain the highest level of protection against unauthorized access and data tampering.
We do not store any account passwords. The only personal information we store about our clients is the following:
- Full name (provided by Google or Microsoft)
- Company name and cell phone number (only if the user chooses to share them)
It is worth noting that if users lose their corporate email, they also lose access to their account on our platform. In addition, customers can easily manage who does and who does not have access to their projects.
We are committed to providing a secure and reliable environment for our users. Our use of OAuth 2.0 with JWT and these strong, secure algorithms reinforces our dedication to safeguarding user data and ensuring secure access to our platform.
Requirements
The following Fluid Attacks requirements apply to the controls described on this page: