Skip to main content

Security

Polygent is engineered for organizations that cannot trade control for convenience. Every architectural guarantee on this page is shipped today — not on a roadmap.

Deployment & data sovereignty

  • Fully self-hosted. No customer code, prompts, tickets, or telemetry leave the network.
  • Customer-owned database — SQLite, Microsoft SQL Server, or PostgreSQL — selected via configuration. Connection string and DBA controls remain on the customer side.
  • Bring-your-own-keys (BYOK) to every supported provider (Polygent Code, Claude Code, Gemini CLI, OpenCode, Kilo CLI, Codex, Qwen Code). Polygent never proxies, brokers, or stores third-party API traffic on its own infrastructure.
  • Enterprise SSO via OAuth2 — Google, Microsoft or any OpenID Connect provider.
  • RS256 JWT access tokens, short lifetime, signed by an auto-generated 2048-bit RSA keypair and validated by sign/verify self-test on every load.
  • Rotating refresh tokens with a full lineage chain, IP-of-revocation capture, plus per-device user-agent and last-used tracking so users and admins can audit and remotely revoke individual devices (from Profile → Devices and the admin active-sessions view).
  • HttpOnly, Secure, SameSite=Lax cookies on all auth flows.
  • Role-based permissions spanning Admin, Users, Sessions, Workspaces, Hosts, Workflows, Tickets, Bots, and Settings.
  • Workspace as the tenant boundary — each workspace owns its repository, member list, environment variables, hooks, prompts, ticket configuration, and PAT.
  • Per-session Git worktree isolation; ephemeral worktrees deleted on session close. No cross-session filesystem visibility.
  • Host API keys hashed with PBKDF2-SHA256, 100,000 iterations, 16-byte salt, 32-byte hash, verified in constant time, and layered with IP allow-lists, host-approval gates, and rate limiters. Full audit trail of key creation, use, and deletion.
  • Path-traversal protection — every resolved path is verified to stay within its base directory; unauthorized path escapes are blocked and logged.
  • Same-origin deployment — the API and client are served from the same origin. Cross-origin client hosting is not a supported topology.