Security at TryMellon
Verifiable claims about how our platform is built. No aspirational statements — only what the code actually does.
Check live status → What the code does
Every claim is traceable to implementation. No compliance theater.
Phishing-resistant by design
Passkeys use FIDO2/WebAuthn. Private keys never leave the authenticator. There are no passwords to phish.
Authenticator cloning detection
Every authentication increments a hardware sign counter. Regressions trigger an immutable audit event and a Sentry alert — the credential is never silently accepted.
Brute-force lockout
5 failures → 30-minute soft lock. 10 failures → 24-hour hard lock. Sliding window per tenant, per user. Counters reset on successful authentication.
HMAC-SHA256 signed webhooks
All webhook payloads are signed with HMAC-SHA256. Your backend verifies the signature before processing any event.
Append-only audit logs
Authentication events, lockouts, and replay detections are recorded in immutable audit logs with configurable retention.
Zero-dependency SDK
The @trymellon/js SDK ships with zero runtime dependencies. Your bundle has no transitive supply-chain exposure.
Memory-hard secret hashing
API secrets are hashed with Argon2id using memory-hard parameters. GPU-based cracking attacks are computationally infeasible.
Responsible Disclosure
If you discover a security vulnerability in TryMellon, please report it to us privately. We take all reports seriously.
Send reports to
security@trymellon.com- Acknowledgment Within 48 hours
- Remediation (critical) 30 days
- Public disclosure Coordinated — 90 days max
Out of scope: social engineering, DoS attacks, and automated scanning of production infrastructure.
Infrastructure
- Hosting Railway (US East)
- Edge / DDoS Cloudflare
- Database PostgreSQL 16
- Cache & Sessions Redis (TLS in transit)
- Monitoring Sentry + structured audit logs