Security

This page describes how Colony Cloud is built with respect to authentication, credential storage, infrastructure hosting, and the worker credential model. Claims here reflect the current implementation — not aspirational targets.

Authentication

Colony Cloud uses GitHub OAuth for all human user authentication.

When you sign in, Colony Cloud redirects you to GitHub. You authorize the Colony Cloud application on GitHub’s site. Colony Cloud receives your GitHub identity (user ID, username, organization memberships) from GitHub’s OAuth response.
No separate username or password is stored by Colony Cloud.
Sessions are established via httpOnly, same-site strict JWT cookies. There is no separate session store — the JWT is self-contained and verified on each API request.
Session lifetime is fixed. Refreshing a session requires re-authorizing with GitHub.

GitHub organization membership is verified at sign-in and on each organization context switch. If your GitHub account is removed from an organization, your access to the corresponding Colony Cloud organization is revoked on your next session validation.

Secrets and credential storage

Org secrets entered in Settings → Secrets are encrypted at rest using AES-GCM before being written to the database. The plaintext value is never persisted anywhere in the system after the encryption step completes.

You cannot retrieve a secret’s plaintext value after saving it — only overwrite it with a new value.
VCS connection access tokens (used by colony-coder and colony-operations) are also encrypted with the same key material. No credentials are stored in plaintext in the database.
Deleting a secret removes it permanently. There is no soft-delete or recovery path.

See Secrets for operational instructions on adding, rotating, and deleting secrets.

Infrastructure and data hosting

Component	Hosting
Dashboard (React SPA)	Cloudflare Pages
API (Hono on Workers runtime)	Cloudflare Pages Functions, co-deployed with the dashboard at `runcolony.com/api/*`
Database	Neon Postgres, accessed via Cloudflare Hyperdrive
Pipeline Store (read-only)	Colony’s Neon Postgres instance, accessed through versioned `v1_*` views

All traffic between your browser, the Colony Cloud API, and the database is over HTTPS/TLS. The dashboard and API share the same runcolony.com domain — no cross-origin requests are made.

Cloudflare handles DDoS mitigation, TLS termination, and edge caching for static assets. Database connections from the API to Neon go through Cloudflare Hyperdrive’s connection pooler.

Worker credential model

Workers never hold long-lived GitHub credentials or GitHub App PEM keys.

On every /api/worker/register and /api/worker/heartbeat call, the Cloud API:

Validates the worker’s Bearer token (issued from Settings → Workers).
Re-mints a short-lived GitHub App installation token for the repositories the worker is authorized to access.
Returns the refreshed token to the worker in the response.

Workers apply the refreshed token via a mutable TokenHolder captured by a custom Octokit auth strategy closure. No worker restart is required when the token refreshes — the new token is picked up in-place.

Token revocation is immediate. Revoking a worker token in Settings → Workers takes effect on the worker’s next heartbeat call — the request returns 401, and the worker exits. See Workers (BYO) for instructions on revoking tokens.

Data retention

Data type	Retention
Active org data (members, repos, config)	Retained for the life of the subscription
Issue history and pipeline events	90-day rolling window
Deleted secrets	Removed immediately — no recovery path
Post-cancellation data	Retained 90 days after subscription end, then deleted

Secrets deleted through Settings → Secrets are not retained in any backup or soft-delete state. Overwriting is permanent.

For data deletion requests outside the standard retention schedule, contact support.