Account security
- Two-factor authentication with authenticator apps (TOTP), with the MFA secret stored encrypted
- Workspace-scoped login — an account belongs to a workspace, not to the platform at large
- Workspace-scoped password reset, so a reset flow cannot cross into another workspace
- Security headers applied at the platform level
- REST API access authenticated with Bearer tokens