RemlloDocs
Book demo
OverviewCore ConceptsIntegration OptionsAPI ReferenceOperationsSecurityGo-Live
DocsWatchTowerSecurity and MFA

Security and MFA

Operational security controls for WatchTower users, administrators, and ingestion owners.

Section

Security model

WatchTower separates operator access, organization membership, and source-system ingestion so each control surface can be governed independently.

Core controls

  • role-based access control
  • HttpOnly session cookies for console access
  • organization-scoped ingestion API keys
  • invite-based user onboarding
  • audit logs for sensitive actions
  • MFA with TOTP authenticator apps
  • password reset and change-password flows
Section

MFA

Users can enroll in MFA from the Security tab using QR code setup or manual secret copy with authenticator apps such as 1Password, Google Authenticator, or Microsoft Authenticator.

Recommended for

  • organization admins
  • risk leads
  • users who manage rules or controls
  • users who manage team access or API keys
Section

Invite and password flows

Team onboarding should happen through email invitations. Invite and reset tokens are temporary credentials and should not be forwarded broadly or stored in shared documents.

Supported flows

  • team invitation
  • invite acceptance and password setup
  • forgot password
  • reset-token verification
  • password reset completion
  • authenticated password change
Section

API key handling

Ingestion keys are organization-scoped secrets. They should be stored server-side and rotated when integration ownership, environment, or exposure risk changes.

Key hygiene

  • keep keys out of browser and mobile code
  • use separate keys per environment
  • use IP allowlisting where available
  • rotate keys after suspected exposure
  • review last-used metadata during rollout
Section

Audit logs and allowed IPs

WatchTower exposes organization audit history and allowed-IP controls so admins can review sensitive changes and constrain where authenticated traffic is expected to originate.

Relevant routes
/api/v1/orgs/audit-logs
/api/v1/orgs/allowed-ips
Section

Production readiness checklist

  • admins and risk leads have MFA enabled
  • team roles are reviewed for least privilege
  • ingestion keys are stored in a secret manager or backend config
  • sandbox and production keys are separate
  • key rotation owners are known
  • audit logs are reviewed after sensitive changes
Operator security baseline

Treat WatchTower as a production operations system. Strong access control and key hygiene should be part of rollout, not handled after incidents occur.