Security isn't a feature.
It's the foundation.

We built Sentra with a zero-trust architecture. Your secrets are encrypted before they leave your machine, and only you hold the keys.

Security Principles

Client-side encryption

All encryption and decryption happens entirely on your machine. Your secrets never leave your device unencrypted.

Zero knowledge

Your encryption keys never leave your device. Not even we can access your data. True zero-knowledge architecture.

Your infrastructure

Data stays in your cloud storage (S3, GCS, Azure). No third-party servers ever touch your secrets.

AES-256-GCM

Industry-standard encryption used by governments and financial institutions worldwide.

OAuth with PKCE

Secure authentication using PKCE S256 for the authorization code flow. Browser-based authentication with loopback callback.

OS credential store

Tokens stored securely in OS credential store (Keychain/Secret Service/CredMan). No plaintext storage.

Threat Model

What We Protect

  • Access tokens and refresh tokens
  • User and machine identity metadata
  • Local scan results and commit metadata
  • CLI local state and authorization decisions

Who We Defend Against

  • Local attackers (same-user malware, other OS users)
  • Remote attackers (network interception, OAuth phishing)
  • API probing and brute force attempts
  • Insider threats and misconfiguration

Security Controls

  • PKCE S256 for OAuth flow
  • JWT signature verification via Supabase JWKS
  • Strict claims validation (iss, aud, exp, sub, role)
  • OS credential store for token storage
  • No logging of secrets or tokens

Security Requirements

  • Never accept JWTs without verifying signature + strict iss/aud/exp validation
  • Never log tokens, refresh tokens, or OAuth auth codes
  • Default to secure storage; no silent downgrade to plaintext or file-based secrets
  • Server endpoints must be explicit; avoid generic database passthrough endpoints

Report Security Issues

If you discover a security vulnerability, please report it responsibly. Open a private security report to the maintainers, or if private channels are not available, open a minimal public issue that does not contain secrets and request a private follow-up.

Report on GitHub →