Security

Authentication

Sessions, the org-owner cloud link, and how credentials are custodied.

Openship uses session-based authentication. Browser clients authenticate with httpOnly session cookies; programmatic clients use bearer tokens.

Connecting a self-hosted instance to Openship Cloud performs a PKCE handshake that mints a cloud session for the connecting owner. It is stored encrypted, server-side only — the browser never sees it. Org-scoped cloud calls resolve this owner link and act on its behalf.

Credential custody

Sensitive credentials are held where they're safest, not copied around:

  • The GitHub App private key lives only on Openship Cloud; self-hosted instances mint App tokens through the cloud rather than holding the key.
  • Per-project git tokens and environment secrets are encrypted at rest.

Revocation

A removed member's session stops working on its next check, and disconnecting an instance revokes its cloud link.

On this page