Security
We implement enterprise-level security protocols to protect your data and ensure system integrity.
Last updated: January 31, 2026
1. Overview
Arko's security is built on a multi-layered architecture covering authentication, storage, data transport, and continuous monitoring.
Security Stack
- Firebase Authentication (OAuth 2.0 / OpenID Connect)
- AWS DynamoDB with at-rest encryption (AES-256)
- TLS 1.3 for data transport
- Rate limiting and DDoS protection
- Centralized audit logs
2. Authentication
2.1 Firebase Auth
We use Firebase Authentication as our identity provider. All users must authenticate using one of the following methods:
- Google Sign-In: Google Sign-In: OAuth 2.0 with Google as provider.
- Email/Password: Email/Password: Credentials stored with bcrypt hash (cost factor: 10).
2.2 JWT Tokens
Sessions are managed using JSON Web Tokens (JWT) signed with RS256:
- Expiration: 1 hour (access token)
- Automatic rotation via refresh tokens
- Signature validation on each request
- Immediate revocation on logout
2.3 Server-side verification
All API endpoints validate tokens using Firebase Admin SDK:
// Mandatory verification on each endpoint
const token = request.headers.get("Authorization")?.split("Bearer ")[1];
const decoded = await admin.auth().verifyIdToken(token);3. Data Storage
3.1 DynamoDB
All user information is stored in Amazon DynamoDB with the following guarantees:
- At-rest encryption: At-rest encryption: AES-256 managed by AWS KMS.
- In-transit encryption: In-transit encryption: TLS 1.3 between client and server.
- User isolation: User isolation: All records include uid as partition key.
- Point-in-time recovery: Point-in-time recovery: Continuous backups with 35-day retention.
3.2 Sensitive data
The following data receives an additional encryption layer before storage:
- User API keys (encrypted with AES-256-GCM)
- Webhook URLs with embedded credentials
- Access tokens for external services
3.3 Data retention
Data is retained according to the following policies:
- Conversations: Conversations: Indefinitely (until user deletes them).
- Audit logs: Audit logs: 90 days.
- Deleted account data: Deleted account data: 30 days (recovery period).
4. API Security
4.1 API Keys
Users can generate API keys for programmatic access. Security policies:
- Format: arko_[random_32_chars]
- Storage: SHA-256 hash in database
- Expiration: Configurable (default: no expiration)
- Rotation: Manual by user
- Revocation: Instant
Critical recommendations
- DO NOT include API keys in public repositories
- DO NOT share API keys via email or messaging
- Rotate compromised API keys immediately
- Use environment variables to store keys
4.2 Rate limiting
We implement rate limiting to prevent abuse:
| Endpoint | Limit |
|---|
| POST /v2/auth | 10 requests / min |
| POST /v2/agents/:id/chat | 60 requests / min |
| GET /v2/* | 300 requests / min |
| POST/PUT/DELETE /v2/* | 100 requests / min |
4.3 HTTPS mandatory
All HTTP requests are automatically redirected to HTTPS. Configuration:
- TLS 1.3 (fallback to TLS 1.2)
- HSTS header:
max-age=31536000; includeSubDomains - Certificates issued by Let's Encrypt
- Automatic rotation every 90 days
4.4 CORS
Cross-Origin Resource Sharing configured to allow only authorized origins:
Access-Control-Allow-Origin: https://arko.arcaelas.com
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 86400
5. Auditing and Monitoring
5.1 Audit logs
We log the following security events:
- Authentication attempts (successful and failed)
- Creation, rotation and revocation of API keys
- Access to sensitive data (agents, conversations)
- Modifications to account configuration
- Data deletion
Each log includes:
- Timestamp (UTC)
- User ID
- IP address
- User-Agent
- Resource accessed
- Result (success/failure)
5.2 Anomaly detection
We monitor usage patterns to detect suspicious activity:
- Failed authentication attempts: Failed authentication attempts: >5 attempts in 10 minutes results in 30-minute temporary lock.
- Unusual geographic access: Unusual geographic access: Login from new location generates email notification.
- Abnormal request volume: Abnormal request volume: Automatic activation of additional rate limiting.
5.3 Incident response
In case of detecting a security breach:
- Immediate containment: Immediate containment: Blocking of compromised access.
- Investigation: Investigation: Log analysis to determine scope.
- Notification: Notification: Email to affected users within 72 hours.
- Remediation: Remediation: Application of patches and credential rotation.
- Post-mortem: Post-mortem: Root cause analysis and preventive improvements.
6. Vulnerability Reporting
If you discover a security vulnerability in Arko, please report it responsibly.
Reporting process
- Send an email to security@arcaelas.com
- Include detailed description and steps to reproduce
- DO NOT disclose publicly until receiving confirmation
- Response time: 48 business hours
We appreciate the collaboration of the security community and are considering implementing a bug bounty program in the future.
7. Contact
For security questions or to report vulnerabilities:
