Security & Compliance
Authentication
Sign-in Methods
Ocriva supports four authentication methods. Choose the one that fits your workflow.
| Method | Flow | Use Case |
|---|---|---|
| Email/Password | Signup → email verification → login | Standard users |
| Google OAuth | Redirect to Google → callback with JWT | Quick sign-in |
| LINE Login | Redirect to LINE → callback with JWT | LINE users (Thailand) |
| API Token | Create in dashboard → use in Authorization header | Programmatic access |
JWT Tokens
After a successful login, Ocriva returns two tokens:
- Access token — short-lived, included in every API request
- Refresh token — long-lived, used to obtain a new access token when the current one expires
Include the access token in every request:
# Using JWT access token
curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
https://api.ocriva.com/upload/ORG_ID/fileTo refresh your access token:
# Refresh access token
curl -X POST https://api.ocriva.com/auth/refresh \
-H "Content-Type: application/json" \
-d '{ "refreshToken": "YOUR_REFRESH_TOKEN" }'API Tokens
API tokens are designed for server-to-server integrations where a human user session is not practical. Each token is:
- Created per organization — managed at Organization → API Tokens
- Scoped to specific projects — a token can only access the projects you assign
- Configurable with:
- Permissions — read, write, delete per resource type
- IP whitelist — restrict requests to specific IP addresses
- Expiration date — tokens automatically expire on the set date
# Using an API token (same Authorization header format as JWT)
curl -H "Authorization: Bearer YOUR_API_TOKEN" \
https://api.ocriva.com/upload/ORG_ID/fileIMPORTANT
API tokens are shown only once at creation. Copy and store the value securely in your environment variables or secrets manager. If the token is lost, you must revoke it and generate a new one.
WARNING
Never expose API tokens in client-side code, browser extensions, mobile app bundles, or public repositories. Treat them the same way you would treat a password.
Authorization
Role-Based Access Control (RBAC)
Every member of an organization is assigned one of four roles. Roles determine what actions a member can perform across the organization.
| Role | Access Level |
|---|---|
| Owner | Full control — billing, members, settings, all projects |
| Admin | Manage members and organization settings |
| Member | Create and work with documents and templates |
| Viewer | Read-only access |
In addition to roles, owners and admins can grant granular permissions to individual members:
canCreateTemplates— create and edit templatescanManageMembers— invite and remove team memberscanManageProjects— create, edit, and delete projectscanViewAnalytics— access usage analytics and reports
Organization Isolation
Every API request is validated against the organization the resource belongs to. The system enforces this through OrganizationGuard, which runs on every authenticated endpoint:
- The user must be an active member of the organization
- The user's role must allow the requested action
- No cross-organization data access is possible, even with a valid JWT
NOTE
Even with a valid JWT, you cannot access resources in an organization you are not a member of. The system checks organization membership on every single request — there are no shortcuts.
Data Security
Multi-Tenant Isolation
Ocriva is a multi-tenant platform. Each organization's data is isolated at multiple layers:
- Database — every query includes an
organizationIdfilter; records from one organization are never returned in another organization's queries - File storage — each organization uses a separate path prefix in the storage bucket
- Billing and credits — credit balances, usage, and invoices are scoped per organization
- Team members — membership and permissions exist only within an organization; there is no platform-wide user role
Data at Rest
- Documents are stored in Supabase Storage or Google Cloud Storage, both of which provide encryption at rest managed by the cloud provider
- The database (MongoDB) is hosted with encryption at rest enabled at the provider level
- Application secrets, API keys, and credentials are managed by Doppler — they are never written into source code or configuration files
Data in Transit
- All API communication uses HTTPS/TLS — plain HTTP is not accepted
- WebSocket connections are secured with WSS
- Webhook payloads are signed with HMAC-SHA256 so receivers can verify authenticity
File Retention
- Each project has a configurable file retention policy — files older than the retention period are automatically cleaned up
- Deletes in the application are soft deletes — the record is marked as deleted and hidden from queries, but the underlying data is preserved until the retention period expires or a hard delete is explicitly requested
Webhook Security
Signature Verification
Every webhook delivery from Ocriva includes two headers:
| Header | Value |
|---|---|
X-Webhook-Signature | HMAC-SHA256 signature of the request body |
X-Webhook-Event | The event type (e.g., processing.completed) |
Verify the signature in your webhook handler before processing the payload:
const crypto = require('crypto');
function verifyWebhookSignature(rawBody, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(rawBody) // use the raw request body string, not a parsed object
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
// Express example
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
const sig = req.headers['x-webhook-signature'];
const secret = process.env.WEBHOOK_SECRET;
if (!verifyWebhookSignature(req.body.toString(), sig, secret)) {
return res.status(401).send('Invalid signature');
}
const event = JSON.parse(req.body);
// process event...
res.sendStatus(200);
});IMPORTANT
Always verify webhook signatures in production. Without verification, an attacker could POST fake webhook events to your endpoint and trigger unintended actions in your system.
Each webhook endpoint has its own secret, generated at creation time. You can rotate the secret at any time from Organization → Webhooks.
API Security Best Practices
Follow these practices to keep your integration secure:
- Use API tokens for server-to-server and JWT for user sessions — do not use a user's JWT in automated scripts
- Set expiration dates on all API tokens — rotate them regularly
- Enable IP whitelisting — restrict API tokens to the known IP addresses of your servers
- Apply least privilege — give each token only the permissions it needs for its specific task
- Store secrets in environment variables — use a secrets manager (Doppler, AWS Secrets Manager, etc.), never hardcode tokens
- Use HTTPS only — never send tokens over plain HTTP connections
- Review access logs — monitor webhook delivery logs and API usage patterns for anomalies
- Verify webhook signatures — validate every incoming webhook payload in production
TIP
IP whitelisting for API tokens is especially effective in production environments. Even if a token leaks, an attacker cannot use it from an unknown IP address.
Compliance Considerations
Ocriva provides features that can help you meet regulatory and data-handling requirements. Compliance obligations ultimately depend on how you use the platform and the regulations that apply to your organization.
PDPA (Thailand)
The Personal Data Protection Act (PDPA) is Thailand's primary data protection law. Ocriva includes several features relevant to PDPA compliance:
- Consent management — built-in consent module to record user consent before collecting personal data
- Data retention policies — configurable per project to limit how long personal data is stored
- Right to deletion — soft delete and hard delete capabilities to fulfill data erasure requests
- Access controls — role-based permissions limit who can view and export data
Consult a legal professional to assess your specific PDPA obligations.
AI Provider Data Handling
Documents uploaded to Ocriva are sent to AI providers for processing. Each provider has its own data retention and privacy policies:
- OpenAI — subject to OpenAI's API data usage and retention policies
- Google Gemini — subject to Google Cloud's data processing terms
- Anthropic Claude — subject to Anthropic's API usage policy
CAUTION
Documents you upload are forwarded to AI providers for OCR and extraction. Review each provider's data handling policy before uploading sensitive documents such as medical records, financial statements, government-issued IDs, or personal information. Choose the AI provider that best meets your compliance requirements.
General Recommendations
- Use project-level retention policies to automatically remove documents after processing
- Assign roles with the minimum permissions required for each team member
- Regularly audit API tokens — revoke unused tokens and review token scopes
- Enable webhook signature verification for all production endpoints