# Security Security documents how AeThex protects identity, data, projects, organizations, APIs, and operational systems. <div class="docs-section-heading"> <h2>Security posture</h2> <p>Security is a platform-wide responsibility, not a single feature.</p> </div> Security spans [[Passport]], [[Authentication]], [[Permissions]], [[Security-Model]], infrastructure, API behavior, secret handling, audit logs, and user education. ## Security priorities - Protect identity and session flows. - Keep secrets out of client code and public repos. - Enforce least-privilege permissions. - Audit sensitive actions. - Harden API and webhook integrations. - Document incident response and disclosure expectations. ## Practical checklist 1. Use Passport for identity flows. 2. Validate tokens server-side. 3. Check authorization after authentication. 4. Rotate compromised credentials. 5. Log admin and security-sensitive actions. 6. Review access regularly. <div class="docs-grid"> <a class="docs-card" href="/Security-Model">Security Model</a> <a class="docs-card" href="/Authentication">Authentication</a> <a class="docs-card" href="/Permissions">Permissions</a> <a class="docs-card" href="/Policies">Policies</a> </div> > [!WARNING] > Never paste production secrets, tokens, private keys, or credentials into public docs, tickets, chats, screenshots, or issue trackers.