Security

Inspect the boundary. Verify the release.

Authsia keeps vault access local and exposes the policy, CLI, Bridge, SSH, and native-host security core for independent review.

What is public

The Apache-2.0 security core contains authorization policy, storage adapters, Bridge and SSH host logic, the CLI, and focused security tests.

What remains private

The SwiftUI application, approval presentation, product assets, signing credentials, and private release infrastructure are not public. Public source releases attest the public CLI and SBOM; they do not claim that the private app is reproducibly built from the public repository.

Official signing identity

Official macOS releases are expected to use this Apple Developer Team ID:

33M8QU65SP

Use the release verification script to check the DMG hash, signing authority, notarization, Gatekeeper result, bundled CLI, source pin, and SBOM.

Report a vulnerability

Report security issues privately through GitHub. Do not include real secrets, seeds, private keys, passphrases, or one-time codes in a report.

Read SECURITY.md