Security is the architecture,
not a feature.
Tenant isolation enforced at every query layer. Approval-gated execution. SHA-256 hashed evidence. Zero inbound ports on edge agents. These are not configuration options, they are architectural constraints.
Every query is scoped. No exceptions.
Tenant isolation and role enforcement are not layers applied on top of the platform. they are built into every query, every API route, and every service call independently.
organizationId on every object
Every business object, requests, workflows, audit events, findings, requires an organizationId. The query does not execute if the ID is missing or mismatched.
Three-layer enforcement
Tenant scope is enforced independently at the ORM layer, the API middleware, and the service layer. Three redundant checks must all fail simultaneously for a cross-tenant leak to be possible.
Domain allowlist
Organization administrators can restrict enrollment to specific email domains. Users outside the allowlist cannot self-enroll or create an account in the tenant.
No shared views or global queries
There are no implicit global queries, no shared table views, and no admin bypass that silently widens scope. Every query is explicitly scoped.
Six RBAC roles, fail-closed
Unknown or invalid role assignments fall back to readonly automatically. The system is fail-closed on authorization. No privilege escalation is possible through the API.
Middleware-first enforcement
Role checks execute at the middleware layer before any route handler or business logic runs. There is no path to a protected endpoint without a valid, scoped role.
Enterprise identity, not an afterthought.
Nuxari uses Keycloak as its identity broker with PKCE-secured OIDC. Organizations can federate their existing IdP without routing credentials through Nuxari.
Keycloak SSO with PKCE
Nuxari uses Keycloak as its identity broker with PKCE-secured OIDC flows. Organizations can federate an existing IdP, Entra ID, Okta, or Google Workspace, without routing credentials through Nuxari.
MFA enforcement
MFA is enforceable at the organization level through OrgIdentityPolicy. Enforcement is server-side, the platform does not trust client-declared MFA status.
SAML & SCIM
Nuxari supports SAML federation via standard identity providers and SCIM for automated provisioning and deprovisioning through your existing IdP.
Invite-only registration
Self-registration is disabled. Account creation requires an invite token issued by an organization admin. Invite tokens expire on a configurable TTL.
Minimum 12-character passwords
Local credential accounts enforce a 12-character minimum password policy. Password strength is validated server-side at registration and change time.
Login restrictions
Organization administrators can restrict login to specific methods and IP ranges. Access from outside permitted network ranges is blocked at the authentication layer.
Tamper-evident records. Immutable by design.
Every audit event is hashed at creation time. No action executes without a linked approval record. Secrets are redacted before storage. The audit chain is complete by the time the action completes, not assembled later.
SHA-256 hashed audit events
Every audit event is hashed at creation time. The hash covers the full event payload, actor, target, action, timestamp, metadata. A Merkle root is computed over evidence chains for auditor verification.
Secret redaction before storage
Evidence fields, evidenceJson, beforeJson, afterJson, are scanned for secrets before write. Tokens, keys, and credential patterns are redacted automatically. Raw API responses are never stored.
Approval-gated execution
No privileged action executes without an approvalRef linking it to a completed approval record. This is an architectural constraint, the workflow engine will not advance without it.
Immutable records
Audit events and evidence records cannot be modified after creation. The record exists the moment the action completes and is locked by its SHA-256 hash.
Credentials never reach the frontend. The perimeter stays closed.
Integration credentials are stored encrypted and never returned to clients. Edge agents operate outbound-only, no inbound ports, cryptographically signed action packages, and local-only evidence processing.
Credentials never reach the frontend
Integration credentials, OAuth tokens, API keys, client secrets, are stored encrypted at rest, never returned to frontend clients, never included in audit metadata, and never logged.
Agent tokens stored as hashes
Agent tokens are stored as SHA-256 hashes. The plaintext token is issued once at registration and is never persisted in the platform database. If lost, the token must be rotated.
Zero inbound ports
Edge agents operate outbound-only. The agent initiates all connections. The platform never connects inward. No firewall rule is required to open an inbound path into the agent environment.
Cryptographically signed action packages
Action packages delivered to agents are signed by the platform after approval completes. Agents verify the signature before executing. Unsigned or tampered packages are rejected.
Local evidence processing
Evidence is processed locally on the agent host. Only structured summaries leave the environment. Raw log data, file contents, and sensitive host data never cross the network boundary.
Credential rotation audit trail
Connector credential rotation is a governed workflow with its own audit trail. Old credentials are invalidated before new ones activate. The rotation event is an immutable record.
Nuxari does not claim formal certification (FedRAMP, HIPAA, CMMC, SOC 2, NIST) unless explicitly validated. The platform is designed to support audit-ready workflows, evidence collection, and control-aligned operations, formal certification requires independent validation.
Report a vulnerability.
We take security reports seriously. If you discover a vulnerability in Nuxari, in the API, in the authentication flow, in the tenant isolation model, or in any component, please report it privately.
We ask that you give us a reasonable window to investigate and respond before public disclosure. We will acknowledge your report within 2 business days and provide a resolution timeline within 5.
Contact
security@nuxari.comSuggested report format
Subject: [Security Report] <brief description> Affected component: <API route / auth flow / isolation model / other> Severity estimate: <critical / high / medium / low> Reproducible: <yes / no> Steps to reproduce: 1. … 2. … 3. … Expected behavior: <what should happen> Actual behavior: <what actually happened> Supporting evidence: <screenshots, curl output, or structured payload, redact tokens>
We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate and respond. We will acknowledge reports within 2 business days.
Build the operating layer
for governance work.
See how Nuxari Ops reduces manual IT work, eliminates access drift, and generates audit evidence automatically, across your entire enterprise.