Trust & Security

Security is First-Class

Every layer of the LabsNinja SCIM Connector is designed with security as a first principle — from credential storage to tenant isolation.

Authentication & Credentials

🔒 Bcrypt Token Hashing

SCIM bearer tokens are hashed with bcrypt before storage. Plaintext credentials are never persisted to disk or logs.

🔄 Token Rotation

Credentials can be rotated at any time via the operator dashboard. Old tokens are invalidated immediately on rotation.

👤 Operator Session Auth

Operator and customer sessions use signed session tokens with configurable expiry and revocation support.

🚫 Fail-Fast on Misconfiguration

The application validates all required environment variables at startup and refuses to start if any are missing.

Tenant Isolation

🏢 Credential Isolation

SCIM credentials are tenant-scoped. A token issued for tenant A cannot access or modify tenant B data.

🚫 Operator / Customer Separation

Internal operator routes and customer-facing routes are on separate auth stacks with different session types and privilege levels.

Security Checklist

ControlStatus
TLS enforced on all external traffic✓ Enforced by Caddy
App bound to localhost only✓ 127.0.0.1:8000
Bearer tokens bcrypt-hashed✓ Never stored plaintext
Tenant data isolation in all queries✓ Row-level scoping
Operator / customer auth stacks separated✓ Separate session types
Secrets validated at startup✓ Fail-fast on missing config
Audit log on all privileged actions✓ Structured JSON audit log
Input validation on all SCIM endpoints✓ Pydantic schema validation

Questions about our security posture?

Contact us for security documentation, compliance questionnaires, or to report a vulnerability.

Security Inquiry