Skip to main content

Security in Axon OS

· 3 min read
Axon OS Team
Axon OS Team
The team behind Axon OS

Security in Axon OS is built on a zero-trust foundation to meet the stringent standards required by enterprise environments.
Every component—from user authentication to workflow execution—is designed with privacy, encryption, and access control as core principles.

1. Zero-Trust Backend Architecture

Axon OS implements a zero-trust model across all backend services.
This means no internal service, user, or process is implicitly trusted.
Every interaction requires continuous verification, authenticated communication, and explicit authorization.

Key Characteristics:

  • Each microservice operates within an isolated trust boundary.
  • API calls and workflow executions are authenticated and signed.
  • Policy-driven access ensures minimal privilege for every role and service.
  • All inter-service communication is encrypted in transit and at rest.

2. Multi-Tenant Secret Management with HashiCorp Vault

All sensitive credentials, tokens, and API keys are securely managed using HashiCorp Vault, integrated natively within Axon OS.

Security Design:

  • Each organization operates within a dedicated tenant namespace in Vault.
  • Secrets are individually encrypted per user and stored with automatic rotation and revocation policies.
  • Fine-grained access control (ACLs) ensures that no cross-tenant data leakage can occur.
  • Vault audit logs provide complete traceability for all secret operations.

This architecture allows Axon OS to achieve enterprise-grade confidentiality and compliance for all workflows and AI processes.

3. Frontend Authentication and Secure Session Management

Frontend applications and user interfaces communicate securely with backend services using HTTP secure cookies combined with Keycloak-based token authentication.

Key Mechanisms:

  • Secure, same-site cookies protect session integrity from CSRF and interception.
  • Authentication tokens issued by Keycloak are verified on every backend request.
  • Role-based access control (RBAC) managed via Keycloak ensures consistent permissions across the platform.
  • Session expiration, token rotation, and forced logout policies maintain continuous security posture.

This ensures that only verified, authorized users can trigger workflows, view dashboards, or interact with AI nodes in Axon OS.

4. Enterprise-Grade Compliance and Governance

Axon OS aligns with the security and compliance expectations of enterprise deployments.
It integrates security controls directly into workflow generation and execution, ensuring compliance without slowing development.

Built-in Controls:

  • Encrypted data pipelines and runtime isolation for AI workflows.
  • Auditable activity logs for all API and orchestration events.
  • Support for SSO, LDAP, and enterprise identity providers through Keycloak integration.
  • Governance and compliance templates that embed organizational policies into generated code.

Summary

Axon OS combines zero-trust architecture, Vault-based secret management, and Keycloak authentication to deliver end-to-end security across AI workflows.
Every secret, user, and transaction is verified, encrypted, and governed — meeting the highest standards for multi-tenant enterprise environments.