Security

How MicroStax protects your environments, data, and access controls.

MicroStax is built so teams can move fast without breaking things. We use industrial-strength isolation so you can share environments, seed data, and test risky changes with total confidence.

One Platform for the Whole Team

Keeping teams separated

  • every environment is associated with an organizationId
  • API reads and writes are scoped to the authenticated organization
  • org-level controls apply to environments, templates, seeds, and administrative actions

Authentication

  • bearer-token API authentication is supported for direct API and CLI use
  • GitHub OAuth is supported for the dashboard
  • internal role checks gate privileged operations

Setting permissions

Role-aware checks protect sensitive actions such as:

  • destructive lifecycle operations
  • baseline promotion
  • governance overrides
  • administrative reporting and audit access

Total Isolation

Your own space for every environment

Each environment is provisioned into its own Kubernetes namespace. This means your services, data, and config are completely separated from the rest of the team. We isolate:

  • pods
  • services
  • config maps
  • secrets
  • ingress and network policy objects

Smart network rules

MicroStax blocks all traffic by default and then opens only the paths your app actually needs:

  • service-to-service communication inside the environment
  • ingress to explicitly exposed services
  • required egress such as DNS and approved outbound traffic

Protecting Secrets and Data

Handling credentials securely

Blueprint-defined secrets are injected through managed secret resources instead of being treated as ordinary config.

Masking sensitive data in snapshots

When you clone data for testing, you can use built-in rules to protect user privacy:

  • source secret references
  • table inclusion and exclusion
  • sanitization strategies such as mask, hash, fake, redact, and nullify
  • controlled storage backends for snapshot artifacts

System secrets

Platform-internal credentials are managed outside user Blueprints and are not surfaced back to consumers.

Sharing And External Access

MicroStax supports shareable environment access with controls including:

  • tokenized share URLs
  • expiration timestamps
  • optional PIN protection
  • read-only data exposure for shared views

Ingress

Only services explicitly marked for exposure receive public ingress routes. This keeps internal services private by default.

Audit And Governance

Security-sensitive operations are not silent.

  • lifecycle events can be written to audit trails
  • promotion decisions can be governed and blocked by policy
  • governance logs provide allow/block visibility
  • organization compliance reporting gives admins a summarized view of posture

These controls matter especially once teams start using shared baselines, overlays, and mirrored runtime validation.

Observability As A Security Tool

MicroStax exposes operational telemetry that also supports security investigations:

  • log streaming
  • distributed traces
  • metrics
  • topology and routing views
  • diagnostic output for failing or policy-blocked environments

Consumer Recommendations

  • keep expose: true limited to services that need ingress
  • use managed secrets rather than plain-text credentials
  • prefer snapshot sanitization to manual data cloning
  • use share-link expiration and PINs for external access
  • route risky changes through overlays or shadows instead of editing shared baselines directly
Security | MicroStax Documentation