Security

Last updated on May 21, 2026

Security lives in three places across the product. Access covers auth (SSO, SCIM, 2FA, API keys, roles, teams), and Self-hosting covers data residency and air-gap deployments. This section covers the audit trail your security team reads during an incident.

API audit log

A signed trail of every API request to your organization, with caller, endpoint, status, latency, and source IP.

How is this guide?

License

Learn how the TofuPilot license JWT works on self-hosted instances, including delivery modes, contents, expiry behavior, and refresh failures.

API Audit Log

Learn how the TofuPilot API audit log records every authenticated request to your organization, with caller, endpoint, status, latency, and source IP.