Security Overview
Security Overview
BookYourPTO is built for organizations that hold sensitive people data — leave records, compensation, identity documents, and time logs. This page is the security model at a glance, so admins and security reviewers can see how the pieces fit together. Each topic links to a dedicated page with the full detail.
Layered request protection
Every API request passes through layered security checks before it reaches a handler — resolving the organization context, validating the caller's session, confirming the account is active and in good standing, enforcing the org's plan entitlements, and recording the request for monitoring.
Authentication
Login uses short-lived JWT access tokens paired with longer-lived refresh tokens stored in the database. Every refresh rotates both tokens atomically — the old pair is deleted and a new one issued — so a stolen refresh token is useful only until the legitimate client refreshes next. Reuse of a rotated token is treated as theft.
See Authentication for the login flow, token rotation, password policy, force-password-change, and forgot/reset.
Two-factor authentication & trusted devices
Optional (or org-mandated) TOTP two-factor with one-time backup codes. Devices can be trusted to skip the 2FA prompt for a limited time, and every trusted device can be listed and revoked.
See Two-Factor & Devices.
Encryption at rest
Personally identifiable information is encrypted in the database with AES-256-GCM field encryption, while still supporting fast lookups without decrypting every row.
Rate limiting
Auth-sensitive endpoints — login, two-factor verification, password reset, deletion-code requests, and data exports — are subject to strict rate limits to blunt brute-force and abuse. When a limit is hit, responses return HTTP 429 with a retryAfter value telling the client how long to wait.
Security headers
In production, responses carry hardened headers: HSTS, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, a strict referrer policy, a restrictive permissions policy, and a Content-Security-Policy.
Audit logging & monitoring
Every meaningful action is recorded with a full before/after change record, the actor, IP, user agent, and timestamp. Sign-in attempts (success and failure) are tracked separately, and an unknown-login email alert fires on logins from new locations.
See Audit & Monitoring.
Account deletion & privacy
In-app, GDPR/CCPA-compliant account deletion, organization deletion, data export, and CCPA opt-out — each confirmed where required by an emailed 6-digit code.
See Account Deletion & Privacy.
Demo-instance lockdown
The public demo runs in a locked-down mode that blocks destructive writes, so anyone can explore it without affecting other visitors.
Roles
Access is scoped by four roles — Employee, Department Head, Administrator, Executive — plus a per-user isApprover flag and department scoping. All client-side permission checks are mirrored and enforced on the server; the backend is always authoritative.
See Roles & Permissions.
Email Configuration (SMTP)
Learn how to configure SMTP settings to enable system emails such as notifications, alerts, and user communications.
Authentication
How sign-in works in BookYourPTO — login, JWT access and refresh tokens with rotation, force-password-change, the password policy, forgot/reset, and email verification.