Security
Passport's whole job is holding your team's credentials so AI clients never do. Every claim below is implemented, most are enforced by tests in CI, and where we haven't earned a checkmark yet, we say so.
Credentials
AI clients never hold upstream credentialsOAuth tokens and API keys live server-side and are brokered per call. Client configs only launch the local bridge; hosted clients get rotating per-member grants. Nothing worth stealing lands in an mcp.json.
Encrypted at rest, rotatable keysUpstream OAuth tokens, company keys, and IdP secrets are AES-256-GCM encrypted under a keyring with an operator-run rekey tool. Passport-issued tokens are stored only as SHA-256 digests; raw values are delivered exactly once.
Verified sign-inA typed email is a claim, not an identity: browser sign-in mails a single-use, expiring link. Workspace joining is invite-only by default, with an opt-in company-domain policy, re-checked when a link is redeemed.
Isolation
Every workspace is its own worldPer-workspace documents and event logs, workspace-prefixed credentials, and version-guarded writes. Cross-tenant isolation is exercised by a dedicated end-to-end test on every commit.
Standards-based inbound OAuthHosted clients (ChatGPT, Claude.ai) connect through OAuth 2.1 with PKCE, single-use codes, refresh rotation, and reuse detection. A replayed rotated token revokes its whole family.
Network egress guardedAdmin-supplied URLs (MCP endpoints, webhooks, SIEM) pass SSRF checks including DNS resolution against private ranges and cloud metadata endpoints.
The catalog you connect to
81 of 125 connectors probe-verifiedEvery catalog endpoint is probed live (protocol handshake, transport, auth classification) and re-verified weekly. Registry changes ship as reviewed diffs, never auto-deployed, because those URLs decide where members' tokens are sent.
15 toolsets hash-pinned against rug pullsOpenly listable servers get their tool definitions scanned for injection patterns and pinned by hash; a silently changed toolset or newly suspicious text fails the weekly check.
Governance at the gateway, not in the promptRead-only passes, per-tool kill switches, and secret-detection guardrails are enforced server-side on every call. An AI client cannot talk its way past them.
Accountability
Everything attributed and auditableEvery tool call carries the person, client, tool, and outcome; admin actions land in an audit trail exportable as CSV/JSONL, with SIEM/OTLP streaming on the Business plan.
Deletion is realRemoving a person revokes their sessions everywhere and drops their grants. Deleting a workspace purges its document and event log, not a soft delete.
Fail-closed production postureA production deployment refuses to boot without an encryption key, an https origin, and explicit signup/demo settings. CI runs secret scanning, dependency audit, and SAST on every change.
Deployment choices
Self-host it entirelyPassport is a single container plus Postgres. Run it in your own VPC with your own keys; the hosted service never touches your data. The gateway, catalog, and governance are identical.
What we haven't earned yetNo SOC 2 report yet (early access; it's on the roadmap and this page is the interim posture doc). No public third-party uptime history yet; the status page reports live component health in the meantime.
Full data-handling details: Privacy. Found a vulnerability? Tell us directly. We fix fast and credit reporters.