Skip to content
a0 a0.gg
InitiativesSecurityPrivacyContact Terms

Security

How we protect identity data and tokens.

a0.gg is an identity broker, so the most important security property is how little it keeps. This page summarizes the controls and practices used to protect users of connected services. It is a high-level description, not a formal certification.

Token custody

OAuth refresh tokens for connected services are held and rotated by Auth0 Token Vault rather than stored in application code or databases under our control. Access tokens are short-lived and requested on demand.

Least privilege

We request the minimum scopes needed for a given connector — OIDC basics plus only the specific sensitive scopes a feature requires (for example Calendar or Sheets). We do not request Gmail or full Drive access.

Pass-through by design

The gateway brokers authorization; it is not a content store. User content from connected services is relayed to the initiating tenant and not durably retained by a0.gg.

Encryption in transit

All traffic is served exclusively over HTTPS/TLS. Endpoints run on Cloudflare’s edge network, which terminates TLS and provides DDoS protection.

Minimal, short-lived logs

Operational logs and metadata (such as timestamps and error traces) are kept for no more than 14 days and used only for debugging, security, and abuse prevention.

Fixed, verified redirect URI

Providers only ever see one fixed, verified redirect URI. This narrows the trust surface and makes the integration auditable by each provider.

Additional practices

  • Secrets and provider credentials are stored in platform secret stores, never in source control.
  • No tracking cookies, advertising pixels, or third-party analytics are loaded by this website.
  • Self-hosted fonts and assets — the site makes no third-party requests for required pages.
  • Dependencies are kept minimal; the public site ships as static files.

Reporting a vulnerability

If you believe you’ve found a security issue or abuse involving a0.gg, please report it responsibly. We aim to acknowledge reports promptly and ask that you give us reasonable time to remediate before any public disclosure.

abuse [at] a0.gg All contact options