Authentication & Access Control

Rankability uses a layered security model to protect user accounts, enforce tenant isolation, and manage API access. Every access path follows a fail-closed design — if something goes wrong with authentication, access is denied by default.

User Authentication

User authentication is managed by Clerk, a SOC 2 Type II certified identity provider. Rankability does not store passwords or manage authentication sessions directly.

Clerk provides:

• Secure sign-in with email and social providers
• Multi-factor authentication (MFA) support
• Session management with automatic expiration
• Organization-based team management

Multi-Tenant Isolation

Every piece of customer data in Rankability is scoped to an organization:

• Organization IDs are derived from the authenticated session — they are never accepted from request parameters or URL paths. This prevents any possibility of accessing another customer's data by manipulating a request.
• Orphan records (data missing both organization and user identifiers) are denied access by default.
• Cross-tenant queries are blocked at the data layer through ownership verification on every request.

Admin Access

Administrative access is managed through a database-backed allowlist rather than hardcoded credentials:

• The admin allowlist is maintained in a secure database table
• Changes to admin access are logged in the audit trail
• Admin access can be managed through the admin dashboard without code deployments
• If the database is unreachable, admin access is denied (fail-closed)

API Key Security

For programmatic access via the Agent API, Rankability provides API keys with robust security controls:

• Hashed storage: API keys are stored as SHA-256 hashes. Plaintext keys are shown once at creation and never stored.
• Scoped permissions: Each key can be limited to specific capabilities (content, reports, clients, knowledge base)
• Expiration support: Keys can be set to expire automatically
• Revocation: Keys can be revoked instantly through the dashboard. Revoked keys are purged from the system after 90 days.
• Abuse detection: Keys are automatically suspended when abuse patterns are detected
• Timing-safe validation: All key comparisons use constant-time algorithms to prevent timing attacks

OAuth Integration Security

When you connect Google services (Search Console, Analytics, Business Profile, YouTube):

• OAuth tokens are encrypted at rest using AES-256-GCM
• OAuth state parameters are signed with a dedicated secret — never reusing database credentials
• Token scopes are limited to only what is needed for each service
• Disconnecting an integration immediately nullifies tokens, with full cleanup within 30 days

Session Security

• Sessions are managed by Clerk with automatic timeout
• Organization context is always derived from the session token
• Administrative sessions are verified on every request against the database-backed allowlist