Security Model (Application-Level)

1. Authentication And Tenant Isolation

• users authenticate through NextAuth-backed flows
• registration creates a dedicated tenant workspace automatically
• most protected APIs require both a valid session and tenant association
• tenant ownership checks gate tenant-scoped resources

2. Secure Builder Access

ReplyBase uses a controlled launch flow for bot builder access.

• users do not open the external builder from arbitrary URLs
• ReplyBase checks authentication and subscription state first
• only eligible users receive builder authorization redirect

3. Billing Protection

• billing endpoints require authenticated user session
• subscription lookups are tenant-scoped
• customer portal access is created server-side through Stripe
• plan limits are checked before selected resource creation flows

4. Admin Access

• admin pages are guarded server-side
• admin APIs perform independent authorization checks
• admin access is tied to a single allowlisted identity in code
• non-admin requests are redirected or rejected with 403

5. Webchat Protection

The webchat stack has the strongest explicit public-endpoint hardening in the product today.

• short-lived signed session tokens
• origin and referer validation
• allowed-domain enforcement per site
• rate limiting on init, message, and events
• replay-resistant init challenge handling
• bot mitigation checks
• configurable PII retention behavior
• rollout gating for staged enablement

6. Data And Compliance Utilities

• newsletter subscribe/unsubscribe supports app-session and API-key access where intended
• account data deletion requests are recorded via dedicated APIs
• Facebook data deletion support is part of compliance surface