Security

Hoziron is designed for enterprise environments where compliance, auditability, and access control aren't optional. This section covers the platform's security model from an operator's perspective — how to authenticate clients, control who can do what, harden your deployment, and maintain a verifiable audit trail.

The security model follows defense in depth: network controls limit who can reach the API, authentication verifies identity, RBAC restricts actions, and the audit log records everything for post-hoc review.

What you'll find here

Common tasks

• Generate and rotate API keys → Authentication § API key management
• Set up SSO with your identity provider → Authentication § OIDC configuration
• Create a read-only role for monitoring → RBAC § Defining roles
• Restrict which agents a key can access → RBAC § Agent-scoped permissions
• Run through the production hardening steps → Hardening checklist § The checklist
• Query audit logs for a specific agent's actions → Audit trail § Querying events
• Verify audit log integrity → Audit trail § Integrity verification

Security layers

Each layer is independent — you can use IP allowlists without OIDC, or RBAC without the full hardening checklist. But for production deployments, all layers working together provide the strongest posture.

Key principles

• Least privilege by default — new API keys have no permissions until explicitly granted
• Secrets never at rest in config — API keys and credentials are read from environment variables or vault integrations
• Immutable audit trail — logged events include integrity hashes for tamper detection
• Health endpoint is always open — /health bypasses all auth so orchestrators can probe liveness

Related

• Deployment § TLS and networking — network-level security controls
• Data integration § Credentials — managing secrets for external systems
• Deployment § Hardening — OS-level hardening for bare metal