Security

How Kopra protects your data and your customers' data.

• Multi-tenant isolation - every database query includes clientId (your account) and tenantId (your customer). One tenant cannot access another tenant's fields or values.
• Token authentication - embed integrations use short-lived tokens scoped to a single tenant. Tokens are verified on every API request.
• API key authentication - server-to-server communication uses API keys sent via the X-API-Key header. Keys can be created, deactivated, and deleted from the dashboard.
• TLS encryption - all API traffic is encrypted in transit via HTTPS/TLS.
• Rate limiting - API endpoints are rate-limited to prevent abuse. Authentication routes have separate stricter limits.
• Webhook signatures - webhook deliveries are cryptographically signed so you can verify they came from Kopra.

For security inquiries or to report a vulnerability, contact hello@kopra.dev.