> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thig.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> MFA, IP allowlisting, audit logs, and enterprise security features

# Security

thig.ai provides enterprise-grade security controls for organizations that need them.

## Two-Factor Authentication (MFA)

Add an extra layer of security to your account with TOTP-based two-factor authentication.

### Setup

1. Go to **Settings > Profile > Security**
2. Click **Enable Two-Factor Authentication**
3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
4. Enter the 6-digit code to verify setup
5. Save your **backup codes** in a secure location

### Signing In with MFA

After entering your email and password, you'll be prompted for a 6-digit code from your authenticator app. Enter the code within 30 seconds of generation.

### Backup Codes

During MFA setup, you receive 10 one-time backup codes. Each code can be used exactly once if you lose access to your authenticator app.

<Warning>
  Store backup codes securely. If you lose both your authenticator and backup codes, contact support to regain access.
</Warning>

## IP Allowlisting

*Enterprise feature*

Restrict access to your organization from specific IP addresses or ranges.

### Configuration

1. Go to **Settings > Security** (admin only)
2. Add IP addresses or CIDR ranges (e.g., `10.0.0.0/24` or `203.0.113.5`)
3. Optionally add a label for each entry (e.g., "Office VPN")

### How It Works

* When **any** entry exists in the allowlist, only matching IPs can access the organization
* When the allowlist is **empty**, all IPs are allowed (no restriction)
* Changes take effect immediately

<Tip>
  Before enabling IP allowlisting, make sure your current IP is in the list. Otherwise you'll lock yourself out.
</Tip>

## Audit Logs

Track all significant actions across your organization for compliance and debugging.

### Viewing Logs

Go to **Settings > Audit Logs** (`/admin/audit-logs`) to view:

* **Who** performed the action
* **What** action was taken (create, update, delete, login, export, etc.)
* **When** it happened (in your timezone)
* **Severity** level (info, warning, critical)

### Filtering

Filter audit logs by:

* Action type
* Severity level
* Category (auth, project, team, billing, etc.)
* User
* Date range

### Exporting

Organization admins and SuperAdmins can export audit logs:

* **CSV** — For spreadsheet analysis
* **JSON** — For programmatic processing

Export via the **Export** button on the audit logs page, or programmatically via `GET /api/admin/audit-logs/export`.

## Encryption

* **API keys** (both BYOK and REST) are encrypted at rest with AES-256-GCM
* **Passwords** are hashed with bcryptjs
* **Webhook secrets** are HMAC-SHA256 signed
* **MFA secrets** are encrypted before storage

## Account Lockout

After 5 failed login attempts, the account is locked for 15 minutes. The lockout counter resets after 30 minutes of no failed attempts.

## Session Security

* Session cookies are HTTP-only and Secure in production
* Sessions expire based on NextAuth configuration
* Cross-domain session transfer uses HMAC-signed tokens with 60-second TTL
