Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.thig.ai/llms.txt

Use this file to discover all available pages before exploring further.

Security

thig.ai provides enterprise-grade security controls for organizations that need them.

Two-Factor Authentication (MFA)

Add an extra layer of security to your account with TOTP-based two-factor authentication.

Setup

  1. Go to Settings > Profile > Security
  2. Click Enable Two-Factor Authentication
  3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
  4. Enter the 6-digit code to verify setup
  5. Save your backup codes in a secure location

Signing In with MFA

After entering your email and password, you’ll be prompted for a 6-digit code from your authenticator app. Enter the code within 30 seconds of generation.

Backup Codes

During MFA setup, you receive 10 one-time backup codes. Each code can be used exactly once if you lose access to your authenticator app.
Store backup codes securely. If you lose both your authenticator and backup codes, contact support to regain access.

IP Allowlisting

Enterprise feature Restrict access to your organization from specific IP addresses or ranges.

Configuration

  1. Go to Settings > Security (admin only)
  2. Add IP addresses or CIDR ranges (e.g., 10.0.0.0/24 or 203.0.113.5)
  3. Optionally add a label for each entry (e.g., “Office VPN”)

How It Works

  • When any entry exists in the allowlist, only matching IPs can access the organization
  • When the allowlist is empty, all IPs are allowed (no restriction)
  • Changes take effect immediately
Before enabling IP allowlisting, make sure your current IP is in the list. Otherwise you’ll lock yourself out.

Audit Logs

Track all significant actions across your organization for compliance and debugging.

Viewing Logs

Go to Settings > Audit Logs (/admin/audit-logs) to view:
  • Who performed the action
  • What action was taken (create, update, delete, login, export, etc.)
  • When it happened (in your timezone)
  • Severity level (info, warning, critical)

Filtering

Filter audit logs by:
  • Action type
  • Severity level
  • Category (auth, project, team, billing, etc.)
  • User
  • Date range

Exporting

Organization admins and SuperAdmins can export audit logs:
  • CSV — For spreadsheet analysis
  • JSON — For programmatic processing
Export via the Export button on the audit logs page, or programmatically via GET /api/admin/audit-logs/export.

Encryption

  • API keys (both BYOK and REST) are encrypted at rest with AES-256-GCM
  • Passwords are hashed with bcryptjs
  • Webhook secrets are HMAC-SHA256 signed
  • MFA secrets are encrypted before storage

Account Lockout

After 5 failed login attempts, the account is locked for 15 minutes. The lockout counter resets after 30 minutes of no failed attempts.

Session Security

  • Session cookies are HTTP-only and Secure in production
  • Sessions expire based on NextAuth configuration
  • Cross-domain session transfer uses HMAC-signed tokens with 60-second TTL