Security-first

Authentication is the front door to your application. If someone gets past it, everything inside is compromised. That's why we built security into every layer of voult.dev from day one—not as an afterthought.

What's included

• Bcrypt password hashing — all passwords are hashed with bcrypt before storage, so plaintext credentials never touch your database.
• JWT + refresh token rotation — access tokens expire quickly and are rotated on every use. Refresh tokens are securely stored and can be revoked at any time.
• CSRF protection — built-in double-submit cookie pattern prevents cross-site request forgery attacks.
• Rate limiting — login and registration endpoints are rate-limited by default to thwart brute-force and credential-stuffing attacks.
• Helmet security headers — all standard security headers (CSP, HSTS, X-Frame-Options, etc.) are set automatically so you don't have to remember them.

These aren't optional add-ons or "enterprise-only" features. They're wired in and working the moment you integrate the SDK.