Auth

Security

Prioritize security in your applications with Nuvix. Discover best practices, security features, and guidelines to protect user data and ensure authentication integrity.

Nuvix provides comprehensive security features to keep both your project and your users' information secure. Built with security-first principles, Nuvix handles the complex parts so you can focus on building great applications.

Session persistence

Nuvix handles session persistence consistently across all platforms. After authenticating, the session persists so users won't need to log in again when they return to your app.

Best Practice: Only keep user sessions active as long as needed and maintain exactly one instance of the Client SDK in your app to avoid conflicting session data.

Platform-specific storage

PlatformStorage Method
WebUses secure session cookies with localStorage fallback
MobileUses secure native storage (Keychain/Keystore)
ServerSession tokens with configurable expiration

Session limits

Control the number of active sessions per user to prevent accumulation of unused sessions. When the limit is reached, the oldest session is automatically removed.

Configure session limits in your Nuvix Console under Auth > Security > Session Limits. Default limit is 10 sessions per user, with a maximum of 100.

Permissions system

Nuvix uses a robust permissions model coupled with user sessions to ensure users have correct permissions to access resources. Access is granted at the collection, bucket, document, or file level.

Permissions are enforced for client SDKs and server SDKs when using JWT, but are ignored when using server SDKs with API keys.

Learn about permissions

Understand Nuvix's permission system for fine-grained access control

Password security

Password history

Prevent users from reusing recent passwords. This protects accounts by enforcing new passwords on every change.

Enable password history in your Nuvix Console under Auth > Security > Password History. Choose how many previous passwords to remember (up to 20).

Password dictionary

Protect users from using common passwords. Nuvix compares passwords against the 10,000 most common passwords and rejects matches.

Enable this feature in Auth > Security > Password Dictionary. Combined with rate limiting, this significantly reduces brute force attacks.

Password hashing

Nuvix uses the Argon2 password-hashing algorithm - the winner of the Password Hashing Competition. Argon2 combines:

  • Salting: Unique salt for each password
  • Adjustable work factors: Configurable computational cost
  • Memory hardness: Resistant to GPU attacks

If users are imported with different hash formats, passwords are automatically re-hashed with Argon2 on first successful login.

Personal data protection

Encourage strong passwords by preventing users from choosing passwords containing personal information like name, email, or phone number.

Enable this in Auth > Security > Personal Data Protection.

Session security

Session alerts

Enable email alerts so users are notified when new sessions are created for their account. This helps users detect unauthorized access quickly.

Configure session alerts in Auth > Security > Session Alerts.

No alerts are sent for Magic URL, Email OTP, or OAuth2 logins since these methods already verify user access to their systems.

Multi-factor authentication

Add an extra layer of security with MFA. Require users to provide a second factor beyond their password for sensitive operations.

Set up MFA

Learn how to implement multi-factor authentication for enhanced security

Privacy controls

Membership privacy

Protect team members' personal information by marking specific membership details as private. This is crucial for apps where privacy is paramount.

Make these details private in Auth > Security > Memberships Privacy:

  • userName - Member's name
  • userEmail - Member's email address
  • mfa - Whether member has enabled MFA

Rate limiting

Nuvix implements intelligent rate limiting to prevent abuse and protect your application from attacks. Rate limits are automatically applied to:

  • Authentication attempts
  • API requests
  • Password reset requests
  • Session creation

Development security

Mock phone numbers

Test SMS authentication without real phone numbers. Create mock numbers with predefined OTP codes for development and testing.

Set up mock numbers in Auth > Security > Mock Phone Numbers.

Only use mock numbers in development environments. Never enable in production.

Security best practices

Use HTTPS always

Ensure all communications with Nuvix use HTTPS. The Nuvix client enforces this by default.

Validate input

Always validate and sanitize user input on both client and server sides.

Implement proper error handling

Don't expose sensitive information in error messages. Use generic error messages for users.

Regular security reviews

Periodically review your security settings and update them based on your application's needs.

Monitor authentication events

Use Nuvix's logging and monitoring features to track authentication events and detect suspicious activity.

Rate limiting guide

Understand Nuvix's rate limiting to protect your application

API security

Best practices for securing your API endpoints

How is this guide?

Last updated on

Labels

Tag users for custom permissions - create VIP tiers, subscription levels, beta groups, or any access control system you need.

Quick start

Add authentication to your apps in minutes with Nuvix - simple signup & login that just works.

On this page

Session persistence
Platform-specific storage
Session limits
Permissions system
Password security
Password history
Password dictionary
Password hashing
Personal data protection
Session security
Session alerts
Multi-factor authentication
Privacy controls
Membership privacy
Rate limiting
Development security
Mock phone numbers
Security best practices
Use HTTPS always
Validate input
Implement proper error handling
Regular security reviews
Monitor authentication events
Security