Authentication & Security

Noah implements a comprehensive security model designed to protect your AI systems and data. The platform supports multiple authentication methods, advanced security features, and detailed access controls.

Authentication Methods

Noah provides two primary authentication methods optimized for different use cases. Session-based authentication works for web browser access with automatic session management. API key authentication enables programmatic access for integrations and automation.

Session-Based Authentication

When you log in through the web interface, Noah creates a secure session using HTTP-only cookies that cannot be accessed by JavaScript. Sessions automatically expire after 30 days of inactivity, though this is configurable based on your security requirements. The platform tracks all active sessions, allowing you to review where you're logged in and terminate suspicious sessions immediately.

API Key Authentication

For programmatic access, Noah issues API keys in the format ctf_[32-character-string]. These keys are hashed using SHA-256 before storage. Each key is scoped to a specific organization and can have custom permissions, expiration dates, and rate limits.

Two-Factor Authentication (2FA)

Two-factor authentication adds an essential security layer requiring both your password and a time-based code from your authenticator app or phone. Noah supports TOTP authenticator apps like Google Authenticator, Authy, or 1Password, as well as SMS-based codes. When you enable 2FA, the system generates backup codes that should be stored securely for account recovery.

Session Management

The session management interface provides complete visibility into all active login sessions across your devices. For each session, you can see the browser and operating system, geographic location, last activity timestamp, and device type. If you notice an unfamiliar session, you can terminate it immediately.

Every authentication attempt is logged in the activity monitor with date, time, status, location, device information, and IP address. Noah automatically sends email notifications for security events like repeated failed login attempts or successful logins from new devices or countries.

Security Best Practices

Enable two-factor authentication immediately after creating your account. Use strong, unique passwords with at least 16 characters. Never reuse passwords across services. Store passwords in a password manager. Review active sessions weekly. Rotate API keys every 90 days. Monitor login activity for anomalies. Use IP whitelisting when working from predictable locations. Never share API keys or account credentials.

IP Whitelisting

For organizations with fixed IP addresses or VPN infrastructure, IP whitelisting provides an additional security layer. When enabled, only requests from approved IP addresses or ranges can access your account. You can configure whitelisting to cover entire network ranges using CIDR notation.

API Key Security

Generate separate keys for each environment (development, staging, production). Store keys in secrets management systems like AWS Secrets Manager, HashiCorp Vault, or Kubernetes Secrets. Never commit API keys to version control. Use environment variables to inject keys at runtime. Implement a key rotation schedule. Monitor key usage regularly and revoke keys promptly when no longer needed.

Authentication Methods​

Session-Based Authentication​

API Key Authentication​

Two-Factor Authentication (2FA)​

Session Management​

Login Activity Monitoring​

Security Best Practices​

IP Whitelisting​

API Key Security​