Skip to main content

Security principles

PassAgent follows a zero-trust security model:
  1. Client-side encryption: all sensitive data is encrypted and decrypted on your device
  2. Server ignorance: the server stores only ciphertext and never has access to your master password or vault key
  3. Defense in depth: multiple independent security layers protect your data
  4. Least privilege: each component has only the minimum access required

Encryption layers

Layer 1: Vault encryption

AES-256-GCM with keys derived from your master password via Argon2id. All vault data is encrypted client-side.

Layer 2: Envelope encryption

Per-item 256-bit random keys wrapped with RSA-OAEP public keys. Enables secure sharing without exposing vault keys.

Layer 3: Transport encryption

All communication uses TLS 1.3. API endpoints enforce HTTPS.

Layer 4: Database security

Supabase PostgreSQL with Row-Level Security (RLS) policies. Each user can only access their own data at the database level.

Authentication

  • Supabase Auth with JWT tokens and HTTP-only cookies
  • 2FA enrollment with TOTP (Google Authenticator, Authy, etc.)
  • CSRF protection on all mutation endpoints
  • Rate limiting on authentication and sensitive endpoints
  • Session management with configurable timeout and auto-lock

Data isolation

Every database query is scoped to the authenticated user through Row-Level Security (RLS) policies. Even if an attacker gains database access, RLS prevents cross-user data access. 
-- Example RLS policy
CREATE POLICY "Users can only access their own passwords"
ON passwords FOR ALL
USING (user_id = auth.uid());

Audit logging

Security-sensitive actions are logged with:
  • Action type: login, password reveal, share, export, etc.
  • Timestamp: when the action occurred
  • IP address: the client’s IP
  • Device info: browser and platform details
  • Result: success or failure
Navigate to Dashboard > Security to review your audit log.

Threat model

PassAgent’s threat model considers:
ThreatMitigation
Server compromiseZero-trust encryption — server has only ciphertext
Database breachRLS + encrypted vault data + no plaintext secrets
Network interceptionTLS 1.3 + certificate pinning (iOS)
Credential stuffingRate limiting + 2FA + breach monitoring
Cross-site attacksCSRF tokens + Content Security Policy + SameSite cookies
Extension compromiseManifest V3 + minimal permissions + content script isolation
PhishingPasskey support (phishing-resistant WebAuthn)

Compliance

PassAgent’s security controls align with:
  • SOC 2 Type II readiness
  • ISO 27001 ISMS framework
  • GDPR data protection requirements
  • CCPA consumer privacy rights