Skip to content
Keylight Keylight Keylight Docs

Session security

Your Keylight dashboard is where you mint licenses, revoke keys, and rotate your SDK key. A compromised dashboard account means a compromised product. This page covers the mitigations Keylight has in place and what you can do on your side.

What Keylight does

Section titled “What Keylight does”
  • Passwords are hashed at rest. Keylight never stores plaintext passwords. Your password is hashed with PBKDF2-SHA256 at 600,000 iterations and a per-account salt before it hits storage - an attacker with database access still has to mount an offline brute-force against each hash individually.
  • Sessions are bound to your account. Your dashboard session cookie is HMAC-signed and scoped to your account’s URL path. A cookie issued for your account cannot be replayed against anyone else’s dashboard.
  • CSRF tokens on every state change. Minting keys, revoking licenses, rotating the SDK key - all require an account-bound CSRF token. This stops a malicious site from tricking your browser into performing dashboard actions while you’re logged in.
  • Login rate limiting. Login attempts are capped at 5 per minute per (account, IP) pair. Online brute force is not viable.

What you should do

Section titled “What you should do”

Choose a strong password

Section titled “Choose a strong password”

The 600k-iteration hash raises the cost of offline cracking, but it can’t rescue password123. Use a password manager and generate a random 16+ character password. Avoid anything reused from another site.

Log out when you’re done

Section titled “Log out when you’re done”

Sessions are cookie-based. Log out explicitly if you’re on a shared machine, or clear the cookie from your browser. Closing the tab does not end the session.

Don’t share your credentials

Section titled “Don’t share your credentials”

Keylight currently supports one login per account. If you need to grant a teammate access, set up a shared password manager entry rather than sharing credentials over chat/email. Rotating the password later is faster than tracing which channel a leak came through.

Rotate after exposure

Section titled “Rotate after exposure”

If you suspect your password has leaked - a compromised password manager, a phishing click, a lost laptop - change it immediately from the dashboard’s account settings. Also rotate your SDK key, since a dashboard account can issue a new one at any time.

Section titled “Related”
  • SDK key - how to rotate the key that authenticates your app builds.
  • Threat model - what Keylight does and doesn’t defend against.