Security
Identity & Access
Statuscode implements a passwordless, OTP-first security model combined with mandatory activation gates for subscription-based access.
The Security Model
We prioritize security by eliminating static passwords. All access is controlled via time-sensitive, cryptographically secure One-Time Passwords (OTPs) sent to your registered email.
Passwordless
No passwords to leak or forget. Access is always tied to your active email inbox.
Session-Based
Sessions are managed via secure, HttpOnly cookies to prevent XSS-based token theft.
First-time setup lifecycle
1
Verification: Enter your email and verify the 6-digit OTP.
2
Licensing: If no active subscription is found, choose a Plan.
3
Provisioning: Complete the Checkout via Dodo Payments.
4
Initialization: Create your first Project and subdomain.
Security Notifications
Statuscode triggers automated security alerts for high-impact actions:
Login OTP
Dispatched every time a new sign-in attempt is initiated.
Privacy Mutations
Additional verification required when switching a status page from Private to Public.
Technical Layers
Protocol
Magic Link / OTP over HTTPS
Provider
Supabase Auth
Activation Gate
Middleware-enforced subscription check on all /(dashboard) routes.
Enterprise SSO
SAML/SSO integrations are currently in limited beta. Contact support for early access.
Was this helpful?
Quick feedback helps improve the docs.