ReachHQ
All articles
ReferenceTroubleshooting & FAQ

Security & Authentication

How ReachHQ handles security, authentication, and data protection.

1 min read 8 sections 5 tags

Authentication

  • Session-based authentication using secure HTTP-only cookies.
  • Passwords are hashed and never stored in plain text.
  • Sessions expire after inactivity (configurable by the platform).

Authorization

  • Role-based access control (RBAC) with OWNER, ADMIN, MEMBER, VIEWER roles.
  • CASL-based policy enforcement for fine-grained permissions.
  • Organization-level data isolation — you can never access another organization's data.

Data Protection

  • All API communications use HTTPS.
  • Mailbox credentials are stored encrypted.
  • OAuth tokens are managed securely and refreshed automatically.
  • Password reset tokens are single-use and time-limited.
  • Rate limiting prevents brute-force attacks (20 requests per 60 seconds per IP).

Privacy

  • The forgot password endpoint always returns 200 OK to prevent email enumeration.
  • Mailbox credentials are never returned in API responses.
  • Soft-delete allows recovery; permanent delete is truly permanent.
securityauthenticationsessionpasswordrate limiting
PreviousBilling FAQ

Related Articles

Reference

Rate Limits & API Throttling

Understanding request rate limits and how to handle throttling.

Reference

Common Error Codes

Quick reference for understanding API error codes.

FAQ

General FAQ

Frequently asked questions about using ReachHQ.

FAQ

Campaign FAQ

Common questions about campaigns and sending.