Security at TryMellon

Verifiable claims about how our platform is built. No aspirational statements — only what the code actually does.

What the code does

Every claim is traceable to implementation. No compliance theater.

• Phishing-resistant by design

  Passkeys use FIDO2/WebAuthn. Private keys never leave the authenticator. There are no passwords to phish.

• Authenticator cloning detection

  Every authentication increments a hardware sign counter. Regressions fail the ceremony with HTTP 401 `replay_detected`, write an audit row, and emit a Sentry warning — the credential is never silently accepted.

• Brute-force lockout

  5 failures → 30-minute soft lock. 10 failures → 24-hour hard lock. Sliding 15-minute window scoped per tenant + external user. Counters are best-effort cleared on successful authentication.

• HMAC-SHA256 signed webhooks

  All webhook payloads are signed with HMAC-SHA256. Your backend verifies the signature before processing any event.

• WORM-style audit logs

  Authentication events, lockouts, and replay detections are written append-only. Mutations are limited to GDPR subject scrubs and scheduled retention purges, both governed by per-tenant policy.

• Zero-dependency SDK

  The @trymellon/js SDK ships with zero runtime dependencies. Your bundle has no transitive supply-chain exposure.

• Memory-hard secret hashing

  Application `client_secret` values are hashed with Argon2id (m=19 MiB, t=2, p=1). Email OTPs and B2B invitation tokens use HMAC-SHA256 / SHA-256 with a server-side pepper, versioned for zero-downtime rotation.

Responsible Disclosure

If you discover a security vulnerability in TryMellon, please report it to us privately. We take all reports seriously.

Out of scope: social engineering, DoS attacks, and automated scanning of production infrastructure.

Infrastructure

• Hosting Railway (US East)
• Edge / DDoS Cloudflare
• Database PostgreSQL 16
• Cache & Sessions Redis (TLS in transit)
• Monitoring Sentry + structured audit logs