VI Engine

Security

Security at Vi-Engine

This page covers the security-related behaviors we can verify in the current frontend and connected account flows. It is deliberately specific and avoids making sweeping claims that the product does not currently prove.

Current, verified scope

This page is intentionally limited to what the product currently proves in its customer session, route-gating, and connected-account behavior.

Customer dashboard sessions

Customer authentication currently uses a short-lived access token together with a refresh token. The frontend stores both values in localStorage. To let Next.js middleware protect customer routes before the app hydrates, the frontend also mirrors the current access token into the first-party vi_access_token cookie. Because that cookie is written by frontend code, this page does not claim that customer auth tokens are stored in HttpOnly cookies.

Route gating in the current app shell

The frontend middleware checks for the vi_access_token cookie on protected customer routes and redirects unauthenticated requests to /login. /founderspace is intentionally excluded from that customer gate because it has its own internal auth flow, and /admin remains a compatibility redirect to /founderspace.

FounderSpace is separate from customer auth

FounderSpace uses its own internal auth value in sessionStorage and keeps its internal workspace selection separate from the customer dashboard workspace state. This separation is intentional: FounderSpace is an internal/admin-only route and should not inherit the customer dashboard shell or customer onboarding and billing chrome.

Connected social accounts

Social account connections use official OAuth 2.0 authorization-code flows. Platform credentials returned by those flows are stored on the backend in encrypted form using AES-256-GCM and are used for the platform actions you authorize, such as publishing, analytics sync, or connection-health checks.

Evidence-based scope

This page is intentionally limited to controls we can verify in the current frontend and connected-account flows. It does not make blanket promises about browser headers, cookie flags, or CSRF-cookie behavior unless those details are directly reflected in the current code and verified product behavior.

Contact security

For security questions or vulnerability reports, email security@viengine.social.