Security

Last updated: March 2026

Authentication

Intuito supports three authentication methods: a username/email and password, a one-time email code (OTP), and OAuth providers such as Google, Facebook, X, and LinkedIn when configured. Passwords are hashed with the scrypt key-derivation function — they are never stored or transmitted in plain text. OTP codes are SHA-256 hashed in the database and expire after 90 seconds.

Encryption in Transit

All data exchanged between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and redirect any plain-HTTP requests.

Session Management

Sessions are managed via signed, server-validated JWTs. Session tokens are stored in HTTP-only cookies to prevent client-side script access. Authentication state is validated on every protected request.

Rate Limiting

Login attempts and OTP requests are rate-limited to mitigate brute-force attacks. Repeated failed login attempts introduce mandatory delays before further attempts are accepted.

Infrastructure

The application is deployed on Vercel with automatic HTTPS and DDoS mitigation. The database runs on a private network and is not publicly accessible. Secrets and credentials are managed via environment variables and are never committed to source control.

Responsible Disclosure

If you discover a security vulnerability in Intuito, please report it responsibly by emailing security@intuito.app. Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate. We are grateful for responsible security research.