Effective Date: November 19, 2025 • Last Updated: November 19, 2025
1. Authentication Provider
Aurium uses Clerk (clerk.com) as our authentication provider.
Clerk Security Features
- SOC 2 Type II certified
- bcrypt password hashing with unique salts
- Brute-force and rate limiting protection
- Session management with secure tokens
- HTTPS-only authentication
2. Customer Authentication
2.1 Sign-Up Methods
Customers can create accounts using:
- Email and password
- Google OAuth
- Other social providers (as configured)
2.2 Password Requirements
| Requirement | Setting |
|---|---|
| Minimum length | 8 characters |
| Maximum length | 72 characters (bcrypt limit) |
| Character restrictions | None (all characters allowed) |
| Common password blocking | Enabled |
| Leaked password detection | Enabled |
2.3 Session Management
| Setting | Value |
|---|---|
| Session token type | JWT |
| Token expiration | Configurable (default 7 days) |
| Secure cookie flag | Enabled |
| HttpOnly cookie flag | Enabled |
3. Multi-Factor Authentication (MFA)
3.1 Availability
MFA is available for all Aurium customers through Clerk.
3.2 Supported Methods
- Time-based One-Time Password (TOTP) via authenticator apps
- SMS verification (backup option)
- Backup codes
3.3 Current Configuration
| Setting | Status |
|---|---|
| MFA available | Yes |
| MFA required | Optional (user choice) |
| Authenticator apps | Supported |
| SMS codes | Supported |
4. Enterprise Single Sign-On (SSO)
4.1 Supported Protocols
| Protocol | Status |
|---|---|
| SAML 2.0 | Supported |
| OpenID Connect (OIDC) | Supported |
4.2 Supported Identity Providers
- Okta
- Azure AD / Microsoft Entra ID
- Google Workspace
- OneLogin
- Auth0
- Custom SAML/OIDC providers
4.3 SSO Security Features
- Just-in-time (JIT) provisioning
- Domain verification required
- Automatic user deprovisioning
- Audit logging
5. API Authentication
5.1 API Key Management
| Feature | Description |
|---|---|
| Key format | Prefixed tokens (e.g., au_live_...) |
| Storage | Hashed in database |
| Rotation | Customer-initiated |
| Scopes | Per-key permissions |
5.2 Best Practices
- Rotate keys periodically
- Use environment variables for storage
- Never commit keys to source code
- Create separate keys for different environments
6. Internal Team Authentication
6.1 Requirements
All Aurium team members must:
- Use Google OAuth for all internal tools
- Enable Google 2-Step Verification (2FA)
- Use 1Password for credential management
6.2 Internal Systems
| System | Authentication Method |
|---|---|
| GitHub | Google OAuth + GitHub 2FA |
| Vercel | Google OAuth |
| Neon | Google OAuth |
| 1Password | Master password + 2FA |
7. Contact
For authentication questions: security@aurium.ai