Trust & security
Built so your data stays yours.
Aura acts on your behalf across powerful apps — so security isn't a feature, it's the foundation. Here's exactly how it works.
Tokens never reach the browser
Your OAuth tokens and API keys live server-side only. The client never receives them — not in a response, not in a cookie, not in logs.
Encrypted at rest
Every credential is encrypted before it touches the database and decrypted only in-process, at the moment of a tool call.
Row-level security
Every user-scoped table enforces row-level security, so one user can never read another's connections, sessions, or documents.
The avatar never sees a secret
The voice/video vendor only handles speech and face. All reasoning and tool execution happen in Aura's backend — it never sees a tool call or a token.
Confirm before it acts
Anything outward-facing — sending an email, creating a repo, posting to Slack — is confirmed with you first, then executed and reported.
Scoped & revocable
Connect only the apps you want, with the scopes you choose. Disconnect any of them at any time from Settings.