Security

AmpGate is a security product. Here is exactly how we protect your data and your customers' data.

🔐 Token Signing — Ed25519

Every Agent Task Token (ATT) is signed with an Ed25519 private key generated on first boot and stored with filesystem permission 600. Ed25519 produces 64-byte signatures, is resistant to timing attacks, and is significantly faster and smaller than RSA-2048 or ECDSA. The corresponding public key is exposed at /.well-known/jwks.json so any service in your infrastructure can independently verify tokens without calling home.

🔗 Tamper-Proof Audit Log

The audit log is hash-chained. Every event includes the SHA-256 hash of the previous event, so a deleted or modified event breaks the chain. The GET /v1/audit/verify-chain endpoint recomputes the full chain and identifies the first broken link if tampering is detected. This provides cryptographic evidence of log integrity for compliance audits.

⚡ Instant Revocation via Redis

Every token carries a nonce stored in Redis at issuance. Revoking a token writes to Redis immediately — verification fails within milliseconds. The cryptographic JWT expiry is a backstop; Redis revocation is the primary control. This means a compromised token can be stopped in real time, not just when it expires.

🛡️ Authentication Security

  • bcrypt password hashing (cost factor 12) — cracking is computationally infeasible
  • Constant-time comparison for API keys — prevents timing attacks
  • Dummy bcrypt on unknown email at login — prevents user enumeration via response timing
  • 2FA via email on every login — cryptographically random 6-digit codes via secrets.randbelow()
  • Rate limiting on all auth endpoints — by IP and by email address
  • Session invalidation on password change — stolen sessions are immediately revoked

🔒 HTTP Security

  • TLS enforced in production — HTTP redirected to HTTPS
  • HSTS — max-age=31536000; includeSubDomains
  • Content-Security-Policy — restricts script sources, blocks inline execution
  • X-Frame-Options: DENY — prevents clickjacking
  • X-Content-Type-Options: nosniff — prevents MIME sniffing
  • Server header removed — no version fingerprinting

📧 No Plaintext Secrets

  • ✓ API keys are stored as SHA-256 hashes — raw keys never persisted
  • ✓ Session tokens are hashed before DB storage
  • ✓ Webhook secrets are never returned after creation
  • ✓ Startup refuses to run in production with default/weak secrets

📮 Responsible Disclosure

Found a vulnerability? Email security@ampgate.io. We will respond within 48 hours and coordinate disclosure responsibly.