Security
Magical Auth implements multiple layers of security to ensure phone verification is safe and reliable.
Security Features
🔐 Cryptographic Protection
- Carrier-signed credentials: All credentials are cryptographically signed by the mobile carrier
- JWT validation: Industry-standard JSON Web Tokens with signature verification
- Session encryption: End-to-end encryption for sensitive session data
- TLS 1.3: All API communications use modern TLS encryption
⏱️ Time-based Security
- 5-minute session expiry: Sessions automatically expire after 5 minutes
- Single-use credentials: Each credential can only be used once
- Nonce validation: Prevents replay attacks with unique nonces
🛡️ Access Control
- API key authentication: All requests require valid API keys
- Rate limiting: Automatic throttling to prevent abuse
- IP allowlisting: Optional IP restrictions for production environments
Best Practices
For Backend Implementation
- Keep API keys server-side only - Never expose them in client code
- Use HTTPS everywhere - Ensure all communications are encrypted
- Validate all inputs - Check phone numbers and session data
- Handle errors gracefully - Don't expose internal details in error messages
- Log security events - Monitor for suspicious activity
For Frontend Implementation
- Use official SDKs - They handle security details correctly
- Don't cache credentials - Let them expire naturally
- Validate responses - Check all data received from APIs
- Use Content Security Policy - Restrict resource loading
Compliance
Privacy Standards
- GDPR compliant: User consent required, data minimization
- CCPA compliant: California privacy requirements met
- TCPA compliant: Proper consent for phone verification
Industry Standards
- OAuth 2.0 compatible: Standard authorization flows
- OpenID Connect: Identity layer on top of OAuth 2.0
- W3C Digital Credentials: Browser-native credential management
Security Architecture
┌─────────────┐ HTTPS/TLS ┌─────────────┐
│ Browser │◄─────────────────►│ Your Server │
└─────────────┘ └─────────────┘
│ │
│ Digital │ API Key +
│ Credentials │ HTTPS/TLS
│ │
▼ ▼
┌─────────────┐ ┌─────────────┐
│ Carrier │◄─────────────────►│ Glide API │
│ Network │ Secure Channel │ Server │
└─────────────┘ └─────────────┘
Threat Mitigation
| Threat | Mitigation |
|---|---|
| Man-in-the-middle | TLS 1.3, certificate pinning |
| Replay attacks | Nonces, single-use credentials |
| Session hijacking | Short expiry, encrypted sessions |
| API abuse | Rate limiting, API key validation |
| Data leakage | No sensitive data in logs |
Incident Response
If you suspect a security issue:
- Immediately rotate API keys
- Contact [email protected]
- Review access logs
- Implement additional restrictions if needed
Security Updates
We regularly update our security measures. Subscribe to security bulletins at:
- Email: [email protected]
- Status: https://status.glideidentity.app
Responsible Disclosure
Found a security vulnerability? Please report it responsibly:
- Email: [email protected]
- PGP key available on request
- Response within 24 hours
For additional security questions, contact our security team.