Trust & security

Built so your data stays yours.

Aura acts on your behalf across powerful apps — so security isn't a feature, it's the foundation. Here's exactly how it works.

Tokens never reach the browser

Your OAuth tokens and API keys live server-side only. The client never receives them — not in a response, not in a cookie, not in logs.

Encrypted at rest

Every credential is encrypted before it touches the database and decrypted only in-process, at the moment of a tool call.

Row-level security

Every user-scoped table enforces row-level security, so one user can never read another's connections, sessions, or documents.

The avatar never sees a secret

The voice/video vendor only handles speech and face. All reasoning and tool execution happen in Aura's backend — it never sees a tool call or a token.

Confirm before it acts

Anything outward-facing — sending an email, creating a repo, posting to Slack — is confirmed with you first, then executed and reported.

Scoped & revocable

Connect only the apps you want, with the scopes you choose. Disconnect any of them at any time from Settings.

Questions about security?

We're happy to walk through the architecture in detail.

Get started