Security & MFA
Two-factor authentication, session management, API key expiration, and platform security features
Overview
AEO Optima provides multiple layers of security to protect your account and data: two-factor authentication (MFA), session management, API key expiration, encryption, row-level security, role-based access control, and comprehensive audit logging.
Two-Factor Authentication (TOTP)
Add an extra layer of security to your account using time-based one-time passwords (TOTP). Compatible with any authenticator app — Google Authenticator, Authy, 1Password, Microsoft Authenticator, etc.
Enrolling in MFA
- Go to Settings > Profile.
- Find the Two-Factor Authentication section.
- Click Enable MFA to start enrollment.
- Scan the QR code with your authenticator app, or click "Show Secret" to manually enter the key.
- Enter the 6-digit verification code from your authenticator app.
- MFA is now active on your account.
Logging in with MFA
When MFA is enabled, after entering your email and password you will be prompted to enter a 6-digit code from your authenticator app. This challenge appears automatically when the system detects your account requires AAL2 (Authenticator Assurance Level 2).
Disabling MFA
To disable MFA, go to Settings > Profile and click Disable MFA in the Two-Factor Authentication section. You may be asked to verify with a current code before disabling.
Session Management
Current session
Your profile settings page displays information about your current active session — when it was created and basic session metadata.
Global sign-out
Click Sign Out All Devices to immediately invalidate all active sessions across every browser and device. You will need to log in again on all devices after a global sign-out. This is useful if:
- You suspect unauthorized access to your account.
- You forgot to log out on a shared or public computer.
- You want to start fresh after changing your password.
API Key Expiration
API keys (BYOK — Bring Your Own Key) can be configured with an expiration date for enhanced security.
How it works
- When creating or editing an API key in Settings > API Keys, you can set an optional Expires At date.
- Expired keys are automatically excluded from snapshot captures at runtime — no manual intervention needed.
- The API Keys list shows status badges for each key:
| Badge | Meaning |
|---|---|
| Active (green) | Key is valid and in use |
| Expiring Soon (yellow) | Key expires within the next 7 days |
| Expired (red) | Key has expired and is no longer used for captures |
Best practices
- Rotate API keys periodically (every 90 days recommended).
- Set expiration dates on all keys to prevent forgotten keys from remaining active indefinitely.
- Remove expired keys to keep your settings clean.
Email Security
RFC 8058 One-Click Unsubscribe
All emails from AEO Optima include compliant List-Unsubscribe and List-Unsubscribe-Post headers. This enables:
- Gmail — "Unsubscribe" link appears next to the sender name.
- Apple Mail — One-tap unsubscribe banner at the top of the email.
- Other clients — Standard
mailto:andhttps:unsubscribe mechanisms.
Signed tokens
Unsubscribe links use HMAC-SHA256 signed tokens (base64url(userId:timestamp:hmacHex)) with 90-day validity. Token verification uses crypto.timingSafeEqual() to prevent timing attacks.
PII masking
Email addresses are masked in all server-side logs and cron job output (e.g., ind***@domain.com). This prevents PII from appearing in log aggregation services.
Platform Security Features
| Feature | Details |
|---|---|
| Encryption | AES-256-GCM encryption for sensitive data including API keys, connector credentials, and integration tokens |
| Row-Level Security (RLS) | Supabase RLS policies on all tables — users can only read and write their own organization's data |
| RBAC | 4-tier role system: Owner (full control), Admin (manage team + settings), Member (create + edit), Viewer (read-only) |
| Rate limiting | API endpoints are rate-limited to prevent abuse and resource exhaustion |
| Anti-enumeration | Login errors show "Invalid email or password" (never reveals which is wrong). Password reset always shows success regardless of whether the email exists |
| Audit logging | All sensitive operations are logged with timestamps, actor information, and action details |
| SECURITY DEFINER functions | Database functions use SECURITY DEFINER with explicit search_path to prevent privilege escalation |
| Webhook HMAC signatures | Webhook deliveries are signed with HMAC-SHA256 so recipients can verify authenticity |
Enterprise SSO
Enterprise plans support Single Sign-On (SSO) configuration. See the SSO Setup guide for details on configuring SAML or OIDC providers.
Audit Logging
All sensitive operations generate audit log entries. Audit logs are retained for 730 days (2 years) and are accessible from the Admin Panel under Audit Logs. Common logged events include:
- User login/logout
- Role changes
- API key creation/deletion
- Organization member changes
- Data export requests
- Account deletion requests
- MFA enrollment/unenrollment
- Consent events
Plan Availability
| Feature | Availability |
|---|---|
| MFA (TOTP) | All plans |
| Session management | All plans |
| API key expiration | All plans |
| Audit logging | All plans |
| Enterprise SSO | Enterprise only |
| Mandatory MFA enforcement | Enterprise only (via SSO) |