Platform Features
Complete Platform Capabilities
Ten integrated capability modules covering credential lifecycle, access governance, authentication security, API management, compliance, and operational infrastructure.
Six specialized credential types: Password, API/OAuth, Keys & Certificates, Token, Encrypted File, Secure Note
AES-256-GCM encryption with unique initialization vectors per record
Decoupled storage — metadata and encrypted payloads in separate layers
Credential lifecycle: create, view, edit, delete with version tracking
Expiry monitoring with configurable alert windows (60-day default)
Personal vs. shared credential isolation with strict visibility controls
Status management: Active, Expired, Revoked
Ownership attribution with creator and last-modifier tracking
Full-text search across name, description, username, and file names
Multi-axis filtering by type, category, environment, expiry status, and scope
Server-side pagination with configurable page size
CSV bulk import with row-level Zod validation, deduplication, and error reporting
Multi-tiered roles: User, Admin, Super Admin
Dynamic user groups with organizational classification
Many-to-many user-group mapping with assignment audit trail
Category-scoped and environment-scoped permissions per group membership
Named access group policies with per-feature permission assignments
Five-level permission hierarchy: ALL, ALL_SCOPED, VIEW, VIEW_MASKED, NO_ACCESS
Five enforcement actions per feature: View, Create, Edit, Delete, Unmask
Highest-wins permission aggregation across multiple group memberships
Automatic sensitive field masking with deep-clone server-side enforcement
Runtime validation ensuring every sensitive schema field is registered
Version-based RBAC cache invalidation for session coherence
Session-embedded access context for sub-millisecond authorization
Mandatory TOTP-based Two-Factor Authentication with encrypted secret storage
QR code generation for authenticator app enrollment
2FA reconfiguration flow with time-limited email tokens for lost devices
Organization-wide mandatory 2FA toggle
Enterprise password policy: 12+ characters, uppercase, lowercase, number, special character
Secure password reset with rate-limited, single-use tokens (1-hour expiry)
Anti-enumeration protection on login and password reset flows
Adaptive CAPTCHA triggered after suspicious authentication patterns
Configurable session timeout with automatic invalidation (default 15 minutes)
Pre-login security check validating IP blocks, user locks, and CAPTCHA before session creation
Global API access toggle for instant exposure control
Three security tiers: Standard (OAuth 2.0), Secure (+ mTLS), Enterprise (+ HMAC)
OAuth 2.0 Client Credentials flow with encrypted client secrets
Mutual TLS certificate verification with thumbprint binding
HMAC request signature validation with timing-safe comparison
Configurable token validity per client
Per-endpoint rate limiting with sliding window enforcement
Optional rate limit response headers (X-RateLimit-Limit, Remaining, Reset)
Application and environment scope enforcement per API client
Comprehensive API activity logging with unique request ID tracing
Rate limit violations feed into IP abuse escalation model
Client secret expiry tracking for rotation reminders
Transactional audit logging for all state-changing operations
Differential auditing with structured before/after change tracking
Automatic sensitive data sanitization in audit records
Login activity logging with outcome, category, reason code, and risk classification
Risk level derivation: Blocked → High, MFA failure → Medium, Standard failure → Low
Login log archival to cold storage with batch traceability
SIEM-ready structured JSON log output (Splunk, Datadog, CloudWatch compatible)
Configurable personal credential audit policy
Audit throttling for repeated forbidden-access attempts to prevent log flooding
External user flag with vendor organization identification
Access type control: API or Portal modes
Time-bound access windows with automatic session termination on expiry
Credential-level scoping — vendors see only explicitly shared credential IDs
Category and environment scoping for external users
Route-level restrictions blocking admin, settings, and internal features
External invite flow with pre-configured scope and vendor metadata
Search isolation preventing external users from discovering internal users
Ephemeral encrypted secrets with configurable maximum view count
Time-to-live (TTL) in hours with automatic expiry
Two sharing methods: Link (copy URL) or Email (branded email with link)
Two-step reveal flow — metadata shown first, explicit click required to decrypt
Manual revocation by creator or administrator
Bulk cleanup utility for expired and revoked secrets
Public access links work without authentication
RBAC-protected creation and management
Configurable application name displayed across the entire platform
Company name for footer and branding contexts
Custom logo upload (Base64, max 500KB) displayed in header, login, and emails
Theme color configuration for UI accent customization
Dynamic email branding — all automated emails pull logo and app name
Dynamic sender identity formatted with application name
Database info panel: type, host, port, user, SSL status, connection latency
Automated schema drift detection comparing definitions against live database
Detection of missing tables, missing columns, and orphaned tables
One-click schema synchronization from the administration interface
Boot-time auto-sync for zero-downtime deployments
Multi-path schema resolution for AWS Amplify and various deployment topologies
Encrypted license parameter storage with individual key-value encryption
Cryptographic signature verification preventing offline tampering
Five license states: Valid, Grace, Locked, Unactivated, Compromised
Graceful degradation with grace period alerts before capability restriction
User limit enforcement against license-defined active user counts
In-memory license cache for sub-200ms authorization checks
Boot-time license evaluation via server startup hooks
Milestone-based alert logging to prevent duplicate notifications