Security Model (Application-Level)

1. Authentication And Tenant Isolation

• users authenticate through NextAuth-backed flows
• registration creates a dedicated tenant workspace automatically
• most protected APIs require both a valid session and tenant association
• tenant ownership checks gate tenant-scoped resources
• legacy third-party deletion utilities remain part of compliance tooling

2. Secure Builder Access

ReplyBase uses a controlled launch flow for bot builder access.

• users do not open the external builder from arbitrary URLs
• ReplyBase checks authentication and subscription state first
• only eligible users receive builder authorization redirect

3. Billing Protection

• billing endpoints require authenticated user session
• subscription lookups are tenant-scoped
• customer portal access is created server-side through Stripe
• plan limits are checked before selected resource creation flows

4. Owner Access Controls

• owner and restricted management surfaces are guarded server-side
• management APIs perform independent authorization checks
• non-authorized requests are redirected or rejected with 403
• use least-privilege access for day-to-day team operations

5. Webchat Protection

The webchat stack has the strongest explicit public-endpoint hardening in the product today.

• short-lived signed session tokens
• origin and referer validation
• allowed-domain enforcement per site
• rate limiting on init, message, and events
• replay-resistant init challenge handling
• bot mitigation checks
• configurable PII retention behavior
• rollout gating for staged enablement

6. Data And Compliance Utilities

• newsletter subscribe/unsubscribe supports app-session and API-key access where intended
• account data deletion requests are recorded via dedicated APIs
• legacy third-party deletion support remains part of compliance utilities