Security

Tokay's security model starts with a dedicated virtual machine for each Workspace, then adds Project isolation, encrypted secrets, scoped access, and recoverable production changes. This page explains the boundaries so a team can judge what Tokay protects and where its own application responsibilities begin.

Last updated

Workspaces are isolated by hardware virtualization

Every Workspace runs on its own KVM virtual machine. KVM is the hardware virtualization boundary used by major cloud providers between customers.

A compromise inside another customer's application is contained inside that customer's virtual machine. It cannot reach your Workspace machine, Services, or data through a shared application runtime.

Inside one Workspace, Projects have private network boundaries. Services in one Project cannot connect directly to another Project's Services or databases.

Secrets are separated from source and builds

Credentials are encrypted at rest and delivered to Services as environment variables when they start. Tokay does not write stored values into source, build output, or platform logs.

Submitted code is checked for likely hardcoded credentials. Moving a detected value into secure storage and changing the source requires approval. See Secrets and environment variables.

Your application can still print a value it reads, so avoid logging credentials in application code.

Authentication belongs at the platform boundary

Tokay accounts use single use emailed magic links rather than passwords. A human confirmation step prevents email scanners that prefetch links from completing sign in.

Protected web apps use the same platform owned access layer. The application does not receive or manage Tokay session secrets, so its code cannot weaken the sign in flow. See Who can open your app.

Authorization follows memberships and credential grants

Workspace, Project, and repository roles define what an identity can reach. API tokens can narrow the actions that identity can perform.

Both are checked on each request. Removing a membership immediately narrows every token that depended on it. See Permissions.

Actions and app access are attributable

Deployments, configuration changes, membership changes, and API actions record their actor and credential. The Workspace audit log, available on paid plans, exposes that history.

Each Project also keeps an access log for its deployed apps, showing who was admitted or denied and which machine token called. See Who can open your app.

Data safety uses several recovery layers

Database migrations rehearse against a copy, and destructive changes can require confirmation and a snapshot. Deleted Projects, code, Services, and databases can be restored for 30 days. Persistent files are replicated away from the VM disk and receive periodic offsite snapshots.

Data can be exported in standard database formats. See Database migrations, Deleting and restoring, Files and persistent storage, and Databases.

Data location and Tokay access

Tokay infrastructure is hosted in the EU.

Tokay stores and processes the source and data needed to build and run your Services. The privacy policy and terms describe how that access is handled.

Send security questions or reports to hello@tokay.io.