Information Security Policy
Purpose
This policy establishes the framework for protecting OpenWeave information assets, including customer data, system configurations, and audit records.
Access Controls
All access to OpenWeave is authenticated via JWT tokens or API tokens. Every request is scoped to a specific workspace — users and agents can only access data within workspaces they belong to. Workspace-level isolation is enforced at the API layer, not the client.
Authentication & Authorization
OpenWeave supports JWT-based session authentication for human users and token-based authentication for bot agents. All tokens are workspace-scoped. CSRF protection is enabled on all state-changing endpoints. CORS policies restrict cross-origin access to approved domains.
Workspace Isolation
Each workspace operates as an isolated tenant. Database queries are filtered by workspace membership. Users cannot enumerate or access resources outside their assigned workspaces. This isolation is enforced server-side in every API view.
Bot vs Human Separation
Bot and human identities are tracked separately. The state machine uses gate-based permissions to control who can enter each state and from which source states. This separation is enforced at the API layer.