Authentication & access control
Knoq provides battle-tested session management, multi-organization support, and a full suite of enterprise identity options through its managed authentication layer. Organization isolation is enforced at the database level — every query is scoped by both user identity and organization. No cross-tenant data leakage is possible through the API; a member of one organization cannot read sessions, integrations, or audit records belonging to another. SSO enforcement is available on the Business tier. Once enabled, all members must authenticate through your configured identity provider. Accepting an invite or switching organizations while SSO is required will redirect the user through the SSO flow — there is no bypass path. Multi-org membership is supported: your users can belong to multiple Knoq organizations and switch between them. Each switch is authenticated and rate-limited to 30 switches per hour per user, and can only move a user into an organization where they already hold a membership. CSRF protection is applied to every mutating route. An additional stale-tab guard prevents cross-organization action replay. Rate limits are enforced server-side on every request:| Limit | Value |
|---|---|
| Messages per user per minute | 60 |
| Session creates per user per minute | 10 |
| Org switches per user per hour | 30 |
Data encryption
All sensitive data is encrypted before it is written to disk. At rest: Integration credentials (OAuth tokens) and BYOK API keys are encrypted using AES-256-GCM. Knoq uses envelope encryption so that the master key can be rotated without requiring every stored credential to be re-encrypted in a single operation. In transit: All communication between your browser, the Knoq API, your AI provider, and your connected MCP servers is protected by TLS 1.2 or higher. There is no plaintext channel at any hop. Database: Session data, audit records, and org metadata are stored in Knoq’s hosted database with encryption at rest provided by the managed cloud platform. Database credentials themselves are encrypted before being written to environment configuration. No client-side streaming: Knoq uses a poll-and-persist architecture rather than server-sent events or WebSockets. The agent writes every event to the database; your browser polls a REST endpoint to read the transcript. This design removes an entire class of real-time transport attacks from the surface area.Integration credential security
When you connect a tool (Slack, Notion, GitHub, Linear, etc.), Knoq stores the resulting OAuth token encrypted with AES-256-GCM. These tokens are:- Never logged — no plaintext token ever appears in application logs or error traces.
- Never returned via API — credential retrieval endpoints do not exist. Tokens are read internally to make tool calls; they are never echoed back to the client.
- Refreshed automatically — tokens are refreshed approximately five minutes before expiry so that in-flight queries are never interrupted by an expired credential.
- Deleted on disconnect — when you disconnect an integration from Settings → Integrations, the token is deleted from Knoq’s database and the OAuth grant is revoked upstream in the source tool. There is no orphan credential left behind.
X-Frame-Options: DENY.
Enterprise controls (Business tier)
The Business tier unlocks the governance controls that enterprise security and compliance teams typically require.| Feature | Description |
|---|---|
| BYOK (Bring Your Own Key) | Supply your own AI provider API key. Model tokens route directly through your key and never transit Knoq’s infrastructure. See BYOK. |
| Enterprise SSO | Azure AD, Okta, and SAML 2.0 identity providers. SSO can be made mandatory for your organization. |
| SCIM provisioning | Automated user lifecycle management. Provision and deprovision members directly from your identity provider. |
| Append-only audit logs | Tamper-evident, append-only log of all administrative actions. Rows are never updated or deleted. See Audit Logs. |
| Custom domain | Serve Knoq from your own subdomain (knoq.yourcompany.com). Branded invite URLs are automatically used when a verified custom domain is configured. |
| Full admin dashboard | Complete visibility into org members, connector usage, query consumption, and billing. |
BYOK, enterprise SSO, and custom domain are gated on your organization’s paid Business tier — not on a trial. These features involve credential-bearing or DNS configuration that persists beyond any trial period, so Knoq requires an active Business subscription before enabling them.
Vulnerability reporting
If you discover a security vulnerability in Knoq, please report it responsibly:- Email: security@knoq.one
- Security page: knoq.one/security
- Status page: knoq.one/status
Data Handling
What Knoq stores, how long it’s retained, and how to request deletion.
BYOK
Supply your own AI provider key so model tokens never leave your infrastructure.
Audit Logs
Append-only, tamper-evident audit trail for all administrative actions.
SSO Configuration
Set up enterprise SSO with Azure AD, Okta, or any SAML 2.0 provider.