Security & Authentication
AIPI is built with enterprise-grade security at every layer. This page covers how authentication, access control, encryption, and auditing work within the headless ecosystem.
Authentication
Every AIPI request must be authenticated. The platform supports multiple authentication methods depending on your application's architecture:
| Method | How It Works | Best For |
|---|---|---|
| API Key | A unique key included in request headers | Server-side applications, background services, CLI tools |
| Session-Based | Users sign in through the Vantage authentication flow and receive a session token | User-facing applications where individuals have accounts |
| Multi-Factor Authentication | Optional 2FA via authenticator app or email code | High-security environments |
| Passkeys | WebAuthn-based biometric or hardware key authentication | Modern, passwordless user authentication |
API Key Security
- API keys are generated in the Vantage Settings panel
- Each key is scoped to a specific company — it can only access that company's data
- Keys are displayed only once at creation — store them securely
- Keys can be revoked at any time from the Settings panel
Access Control
AIPI enforces the same role-based access control (RBAC) system used throughout Vantage:
Roles & Permissions
| Permission Category | Controls |
|---|---|
| Dashboard | Who can view, create, edit, and delete dashboards |
| Workflow | Who can view, create, execute, and manage workflows |
| Integration | Who can connect, configure, and remove integrations |
| AI | Who can use AI features, deploy agents, and manage AI settings |
| Admin | Who can manage users, roles, billing, and organization settings |
How Permissions Apply to AIPI
When an AIPI request is made:
- The system identifies the user or API key making the request
- It resolves the associated role and permissions
- The request is allowed or denied based on the role's permission set
- Denied requests return an appropriate error response
Example: If a user's role does not include execute_workflows permission, any AIPI request that attempts to trigger a workflow will be rejected.
Data Protection
Encryption
| Layer | Protection |
|---|---|
| In Transit | All AIPI communication uses TLS encryption |
| At Rest | Credentials, API keys, and sensitive configuration data are encrypted in storage |
| Credential Vault | Integration credentials (database passwords, API keys, OAuth tokens) are stored in an encrypted vault and never exposed in the UI after saving |
Data Isolation
- Company-level isolation — each company's data is fully separated from other companies
- User-level scoping — users only see data their role permits
- Organization boundaries — cross-company access requires explicit organization-level configuration
Audit Logging
Every AIPI interaction is logged for compliance and troubleshooting:
| Log Entry | What's Recorded |
|---|---|
| Timestamp | When the request occurred |
| User/Key | Who made the request |
| Action | What operation was performed |
| Resource | Which data, workflow, or integration was accessed |
| Result | Whether the request succeeded or failed |
Audit logs are accessible to administrators through the Account Logs section in Vantage Settings.
Security Best Practices
| Practice | Why |
|---|---|
| Use API keys for server-side only | Never expose API keys in frontend JavaScript — use a backend proxy or serverless function |
| Enable 2FA for all users | Adds a second layer of protection for user accounts |
| Use least-privilege roles | Assign only the permissions each user or service actually needs |
| Rotate API keys periodically | Reduces the risk window if a key is compromised |
| Monitor audit logs | Regularly review access patterns to detect anomalies |
| Use passkeys when available | Passwordless authentication eliminates credential theft risks |
Related Documentation
- Access Control — Detailed RBAC documentation
- Data Protection — Encryption and data handling policies
- Audit Logs — Log access and configuration
- Two-Factor Auth — 2FA setup guide
- Passkey Settings — WebAuthn configuration
- Roles Settings — Role management
Next Steps
- Use Cases & Examples — See real-world AIPI application patterns
- Getting Started — Build your first AIPI-powered application